WordPress.org

Make WordPress Core

Opened 12 months ago

Closed 3 months ago

Last modified 8 weeks ago

#39218 closed defect (bug) (fixed)

Customize: Harden validation of CSS syntax validity by utilizing tokenizer

Reported by: westonruter Owned by:
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.7
Component: Customize Keywords:
Focuses: Cc:

Description

There is a todo comment in WP_Customize_Custom_CSS::validate() setting to implement this:

There are cases where valid CSS can be incorrectly marked as invalid when strings or comments include balancing characters. To fix, CSS tokenization needs to be used.

The current approach to validating syntax via regular expressions is too naïve.

See #39198.

Change History (10)

#1 @westonruter
12 months ago

In 39559:

Customize: Prevent single quotes (apostrophes) in custom_css values from unexpectedly causing false positives for unbalanced character validation errors.

See #39218, #35395.
Fixes #39198.

#2 @dd32
12 months ago

In 39567:

Customize: Prevent single quotes (apostrophes) in custom_css values from unexpectedly causing false positives for unbalanced character validation errors.

Props westonruter.
See #39218, #35395.
Merges [39559] to the 4.7 branch.
Fixes #39198.

#3 @westonruter
11 months ago

#39728 was marked as a duplicate.

#4 @westonruter
11 months ago

I think that once a proper syntax-highlighting code editor is added for custom CSS (in #38707) this will eliminate the need for having server-side validation and we can eliminate it entirely. This once #38707 is closed this ticket should be resolved as wontfix, or it should be changed to remove the current validation logic.

#5 @westonruter
7 months ago

  • Milestone changed from 4.8 to 4.8.1

Punting due to #38707 being punted.

#6 @Presskopp
7 months ago

I just noticed that this will be parsed ok:

[all}is)fine]here{or(not?

We could check if latest parenthesis of a kind is an opening one (or first one is a closing one)

#7 @westonruter
7 months ago

@Presskopp yes, hence the need for a tokenizer that then feeds into a parser which can then count the number of such braces and ensure they are coming in the expected order.

#8 @westonruter
6 months ago

  • Milestone changed from 4.8.1 to 4.9

#9 @westonruter
3 months ago

  • Resolution set to fixed
  • Status changed from new to closed

This is now fixed by virtue of removing the character balancing from the server entirely, in favor of using CSSLint in the browser via CodeMirror. See #12423.

#10 @jbpaul17
8 weeks ago

  • Keywords needs-patch removed
Note: See TracTickets for help on using tickets.