search

pretalx / pretalx

Conference planning tool: CfP, scheduling, speaker management
https://pretalx.com
Apache License 2.0
710 stars 200 forks source link

static css using css property word-wrap, which is not recognized by cssutils #558

Closed knarrff closed 5 years ago

knarrff commented 5 years ago

Expected Behavior

using word-wrap in custom css should be accepted (feature request in cssutils)

or

word-wrap not used in shipped cfp-css by pretalx

or

css validation should be optional

Current Behavior

word-wrap set to break-all, which cannot be overwritten by user css, because validation of latter fails

Steps to Reproduce

  1. try to upload custom css including the word-wrap property

Context

https://derse19.uni-jena.de/derse19/ has the problem that the title in the header is broken in the middle of words. We try to prevent that. The breaking happens presumably, because pretalx/static/cfp/scss/_layout.scss contains:

header {word-break: break-all;}

This wouldn't be a problem if this setting could be overwritten by a css script provided by the user. The problem is, that cssutils at the moment does not know about "word-break" (see https://bitbucket.org/cthedot/cssutils/pull-requests/19/add-overflow-wrap-css-rule/diff), but pretalx uses cssutils to validate the user css, and in this case refuses "word-break", even if put in exactly as the vendor-pretalx-css uses it.

Since this doesn't seem to be even in the dev-version of cssutils yet, I don't see any other possibility to resolve this (easily) than to make successful validation optional.

I also noticed that the uploaded file (if validation was successful) gets copied to a file with a name like "derse19_QR80H3z.css", and that name changes every time I upload a file, which makes it very inconvenient to put that file into a, say, git repository to handle those things there instead of always uploading the new css file. Is there any way around this?

Your Environment

luto commented 5 years ago

Oh, that doesn't look too good :-/ Funnily enough I ran into a similar problem (#434) and tried to fix it (ba9245c9f086ce9bdae71c3cbf678bb0e351998a) months ago.

Since break-all is apparently too aggressive, I went ahead and changed the line to word-break: break-word;, which tries to keep words whole and - if that's not possible - falls back to breaking them anyway. See 021d0c9004135e18b88fc494b5ffc19f5337b734.

I'm going to leave this open for now since the original bug remains: word-break cannot be changed by custom CSS.

rixx commented 5 years ago

I'm not sure it's feasible for us to work around this – we have to rely on a lib for css validation, as we cannot feasibly run this ourselves. As long as the fix by @luto solves your problem, I'd consider this issue closed.

Please also note that administrator accounts are able to upload css without further validation, so this would be a second way to sidestep your problem.

Our reasoning is that css injection might leak data belonging to events the uploader has no access to, but as administrators are presumed to have shell access to the server and do have access to all events, and should know what they are doing, we've decided to allow all css uploads to administrators.