Open alecpl opened 1 month ago
Why use a standalone CSS parser?
HTMLPurifier includes robust CSS parsing. Would that be an option? That library has been around for a long time and is still maintained. That could also be an improvement over Roundcube's washtml, which is only kept alive in this project, as far as I can see, and probably contains more issues than a publicly and widely adopted library.
It's been the topic of #1196, which was closed without comprehensible explanation, do you maybe remember any details?
Oh yeah, I forgot about HTMLPurifier, maybe because I was concerned with css here. Washtml was as good as HTMLPurifier at that time. Today it might make sense to investigate it's use, indeed. Would be good to know if it's extensibility features allow us to do all the tricks we do with washtml. Performance may also play a role. And whether we can use it to handle standalone css scripts. And it does not look like it supports SVG, but maybe we could still use it for css.
Prerequisites
Proposal
Options:
Motivation and context
Our custom code for css parsing is a can of worms. A decent CSS parser could not only fix #7533, but also possibly make it more secure.
I don't know if there's a decent parser, we need to investigate.