Changeset 61527 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php

Timestamp:

01/26/2026 03:17:00 PM (5 months ago)

Author:

jonsurrell

Message:

Customize: Allow arbitrary custom CSS.

Update custom CSS validation to allow any CSS except STYLE close tags. Previously, some valid CSS would be rejected for containing HTML syntax characters, like this example:

@property --animate {
  syntax: "<custom-ident>"; /* <-- Validation error on `<` */
  inherits: true;
  initial-value: false;
}

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10667.

Follow-up to [61418], [61486].

Props jonsurrell, westonruter, peterwilsoncc, johnbillion, xknown, sabernhardt, dmsnell, soyebsalar01, dlh.
Fixes #64418.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php (modified) (2 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php

@@ -674 +674 @@
      *              either through a STYLE end tag or a prefix of one which might become a
      *              full end tag when combined with the contents of other styles.
+     *
+     * @see WP_Customize_Custom_CSS_Setting::validate()
      *
      * @param string $css CSS to validate.
@@ -708 +710 @@
              * when analyzed on their own. The first style was likely the result of
              * improper truncation, while the second is perfectly sound. It was only
-             * through concatenation that these two scripts combined to form content
+             * through concatenation that these two styles combined to form content
              * that would have broken out of the containing STYLE element, thus
              * corrupting the page and potentially introducing security issues.