Make WordPress Core

Opened 6 years ago

Last modified 3 years ago

#45168 new defect (bug)

Additional CSS complains of markup inside CSS comments

Reported by: usestrict's profile useStrict Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.7
Component: Customize Keywords: needs-patch
Focuses: Cc:

Description

When adding CSS to a site via Appearance > Customize > Additional CSS, the syntax validator will complain if it finds markup regardless of it being inside a /* */ comment.

Steps to replicate:

  1. Go to Admin > Appearance > Customize > Additional CSS
  2. Add a comment with some markup in it

/* this is <a> markup test */

  1. Hit Publish
  2. See attached error message - but note that no indicator as to what line contains the markup appears.

The only workaround is to remove the markup from the comment.

Ideally the syntax validator should not care about anything in CSS comment blocks.

Attachments (1)

Screenshot 2018-10-24 16.16.17.png (24.3 KB) - added by useStrict 6 years ago.
Error message regarding markup inside CSS comment

Download all attachments as: .zip

Change History (5)

@useStrict
6 years ago

Error message regarding markup inside CSS comment

#1 @SergeyBiryukov
6 years ago

  • Component changed from General to Customize

#2 @dlh
5 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 4.9.8 to 4.7

#3 @sabernhardt
4 years ago

Most of the PHP validation for Additional CSS was replaced in [41376], but the check for the existence of an HTML tag (pattern) is still there.
https://core.trac.wordpress.org/browser/tags/5.5/src/wp-includes/customize/class-wp-customize-custom-css-setting.php#L162

If keeping the tag check in PHP, it would need to make sure all matches to that pattern are not inside comments to pass the validation.

Technically, though, there are workarounds. Currently acceptable methods include adding a space after the first angle bracket or replacing the angle brackets with Markdown-style inline code syntax.

/* comment with < a > tag */
/* comment with `a` tag */
Last edited 4 years ago by sabernhardt (previous) (diff)

#4 @celloexpressions
3 years ago

The HTML validation is in place for security reasons (at least originally). I believe the primary It might be possible to allow it when specifically scoped within comments, as long as there's a secure way to enforce that check.

Note: See TracTickets for help on using tickets.