[wp-trac] [WordPress Trac] #64418: Valid CSS is causing failure in the Additional CSS panel

WordPress Trac noreply at wordpress.org
Mon Dec 29 15:48:04 UTC 2025 

#64418: Valid CSS is causing failure in the Additional CSS panel
-------------------------------------------------+-------------------------
 Reporter:  drw158                               |       Owner:  jonsurrell
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  7.0
Component:  Customize                            |     Version:  4.7
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests dev-        |     Focuses:  css
  feedback                                       |
-------------------------------------------------+-------------------------
Changes (by jonsurrell):

 * keywords:  has-patch has-unit-tests => has-patch has-unit-tests dev-
     feedback


Comment:

 I've attached 3 PRs to address this. I've chosen to allow any arbitrary
 CSS because the HTML API makes it safe to do so. Another option is to
 reject `</style` in the CSS content. The only reason to do that is in case
 extenders are retrieving the custom CSS and dangerously printing it in
 HTML.

 [https://github.com/WordPress/wordpress-develop/pull/10656 Use HTML API to
 generate <style> tags]: The HTML API will produce safe HTML by escaping
 `STYLE` tag contents as needed. This makes it simple to relax other
 arbitrary restrictions on the CSS content.

 [https://github.com/WordPress/wordpress-develop/pull/10641 Global Styles:
 Allow arbitrary CSS, protect from KSES mangling] removes the arbitrary CSS
 restrictions, allowing ''any'' arbitrary CSS. The CSS is stored as JSON in
 post content. Problematic HTML characters `<>&` are escaped in the JSON to
 prevent confusion and mangling by post filters like KSES.

 [https://github.com/WordPress/wordpress-develop/pull/10667 Customizer:
 Allow arbitrary custom CSS] is similar but for the customizer. The data is
 not JSON encoded, so the problematic KSES filters are removed before
 updating or inserting the `custom_css` post.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64418#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list