WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#39218 closed defect (bug) (fixed)

Customize: Harden validation of CSS syntax validity by utilizing tokenizer

Reported by: westonruter Owned by:
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.7
Component: Customize Keywords:
Focuses: Cc:
PR Number:

Description

There is a todo comment in WP_Customize_Custom_CSS::validate() setting to implement this:

There are cases where valid CSS can be incorrectly marked as invalid when strings or comments include balancing characters. To fix, CSS tokenization needs to be used.

The current approach to validating syntax via regular expressions is too naïve.

See #39198.

Change History (10)

#1 @westonruter
3 years ago

In 39559:

Customize: Prevent single quotes (apostrophes) in custom_css values from unexpectedly causing false positives for unbalanced character validation errors.

See #39218, #35395.
Fixes #39198.

#2 @dd32
3 years ago

In 39567:

Customize: Prevent single quotes (apostrophes) in custom_css values from unexpectedly causing false positives for unbalanced character validation errors.

Props westonruter.
See #39218, #35395.
Merges [39559] to the 4.7 branch.
Fixes #39198.

#3 @westonruter
3 years ago

#39728 was marked as a duplicate.

#4 @westonruter
3 years ago

I think that once a proper syntax-highlighting code editor is added for custom CSS (in #38707) this will eliminate the need for having server-side validation and we can eliminate it entirely. This once #38707 is closed this ticket should be resolved as wontfix, or it should be changed to remove the current validation logic.

#5 @westonruter
3 years ago

  • Milestone changed from 4.8 to 4.8.1

Punting due to #38707 being punted.

#6 @Presskopp
3 years ago

I just noticed that this will be parsed ok:

[all}is)fine]here{or(not?

We could check if latest parenthesis of a kind is an opening one (or first one is a closing one)

#7 @westonruter
3 years ago

@Presskopp yes, hence the need for a tokenizer that then feeds into a parser which can then count the number of such braces and ensure they are coming in the expected order.

#8 @westonruter
3 years ago

  • Milestone changed from 4.8.1 to 4.9

#9 @westonruter
2 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This is now fixed by virtue of removing the character balancing from the server entirely, in favor of using CSSLint in the browser via CodeMirror. See #12423.

#10 @jbpaul17
2 years ago

  • Keywords needs-patch removed
Note: See TracTickets for help on using tickets.