Use a decent CSS parser for better security

[alecpl]

Prerequisites

• [X] I have searched for duplicate or closed feature requests
• [X] I have searched for plugins that provide already provide the feature

Proposal

Options:

• https://github.com/wikimedia/css-sanitizer
• https://github.com/MyIntervals/PHP-CSS-Parser

Motivation and context

Our custom code for css parsing is a can of worms. A decent CSS parser could not only fix #7533, but also possibly make it more secure.

I don't know if there's a decent parser, we need to investigate.

[pabzm]

Why use a standalone CSS parser?

HTMLPurifier includes robust CSS parsing. Would that be an option? That library has been around for a long time and is still maintained. That could also be an improvement over Roundcube's washtml, which is only kept alive in this project, as far as I can see, and probably contains more issues than a publicly and widely adopted library.

It's been the topic of #1196, which was closed without comprehensible explanation, do you maybe remember any details?

[alecpl]

Oh yeah, I forgot about HTMLPurifier, maybe because I was concerned with css here. Washtml was as good as HTMLPurifier at that time. Today it might make sense to investigate it's use, indeed. Would be good to know if it's extensibility features allow us to do all the tricks we do with washtml. Performance may also play a role. And whether we can use it to handle standalone css scripts. And it does not look like it supports SVG, but maybe we could still use it for css.