WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

KSES: Allow `min()`, `max()`, `minmax()`, and `clamp()` values to be used in inline CSS. 

Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.

Follow-up to [50923].

Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes #55966.
Built from https://develop.svn.wordpress.org/trunk@54100


git-svn-id: http://core.svn.wordpress.org/trunk@53659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2022-09-08 13:26:14 +00:00
parent 6542de4220
commit b65fba9742
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
wp-includes/kses.php
View File

@ -2228,6 +2228,8 @@ function kses_init() {
* @since 5.3.1 Added support for gradient backgrounds.
* @since 5.7.1 Added support for `object-position`.
* @since 5.8.0 Added support for `calc()` and `var()` values.
* @since 6.1.0 Added support for `min()`, `max()`, `minmax()`, `clamp()`,
* and nested `var()` values.
*
* @param string $css A string of CSS rules.
* @param string $deprecated Not used.
@ -2467,13 +2469,20 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
}
if ( $found ) {
// Allow CSS calc().
$css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
// Allow CSS var().
$css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
/*
* Allow CSS functions like var(), calc(), etc. by removing them from the test string.
* Nested functions and parentheses are also removed, so long as the parentheses are balanced.
*/
$css_test_string = preg_replace(
'/\b(?:var|calc|min|max|minmax|clamp)(\((?:[^()]|(?1))*\))/',
'',
$css_test_string
);
// Check for any CSS containing \ ( & } = or comments,
// except for url(), calc(), or var() usage checked above.
/*
* Disallow CSS containing \ ( & } = or comments, except for within url(), var(), calc(), etc.
* which were removed from the test string above.
*/
$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
/**

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.1-alpha-54099';
$wp_version = '6.1-alpha-54100';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.