55748dbc55
This change enables "var(--my-var)" to pass through the style sanitizer. After consulation with our security team, allowing these doesn't create new attack vectors, so the sanitizer doesn't need to strip them. Fixes parts of #23485 related to the sanitizer, other use cases discussed there related to binding have been addressed via other changes to the class and style handling in the runtime. Closes #23485 PR Close #33841