KSES: Allow `calc()` and `var()` values to be used in inline CSS.

Props aristath, displaynone, joyously, olafklejnstrupjensen, sabernhardt, jamesbonham, poena.
Fixes #46197, #46498.
Built from https://develop.svn.wordpress.org/trunk@50923


git-svn-id: http://core.svn.wordpress.org/trunk@50532 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/kses.php

@@ -2172,6 +2172,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 	 *              Extend `background-*` support of individual properties.
 	 * @since 5.3.1 Added support for gradient backgrounds.
 	 * @since 5.7.1 Added support for `object-position`.
+	 * @since 5.8.0 Added support for `calc()` and `var()` values.
 	 *
 	 * @param string[] $attr Array of allowed CSS attributes.
 	 */
@@ -2381,7 +2382,13 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 		}
 
 		if ( $found ) {
-			// Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
+			// Allow CSS calc().
+			$css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
+			// Allow CSS var().
+			$css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
+
+			// Check for any CSS containing \ ( & } = or comments,
+			// except for url(), calc(), or var() usage checked above.
 			$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
 
 			/**

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.8-alpha-50922';
+$wp_version = '5.8-alpha-50923';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.