Bug in Custom CSS Option | WordPress.org

CrouchingBruin
(@crouchingbruin)

10 years, 9 months ago
There is a serious bug in the Custom CSS editor (Appearance → Customize → Layout Options → Additional Style) that is being used by this theme. Any CSS property which uses a single quote (‘) or double quote (“) in the property value will have that character changed into an escape character, making the property invalid. For example:
```
a {
   font-family: 'Times Roman';
}
```
becomes:
```
a {
   font-family: &#039;Times Roman&#039;;
}
```
Of course, a work around would be to install a custom CSS plugin, but this is pretty bad, a CSS editor shouldn’t be making any character substitutions like that.

Viewing 2 replies - 1 through 2 (of 2 total)

Theme Author marsian
(@marsian)

10 years, 9 months ago

For security reason every input field is escaped in WordPress themes.

Thread Starter CrouchingBruin
(@crouchingbruin)

10 years, 9 months ago

There are plenty of themes which have a custom CSS option which do not escape special characters. And most custom CSS plugins, like Jetpack, also do not escape special characters. Also, if you use the text editor to edit a page or post, you can enter apostrophes or quotes and they don’t get escaped.

Is it possible to inject scripting code into a custom CSS field? Yes, but it’s just as possible, and even easier, to inject code into page or post content. The escaping of the apostrophe and quote mark is definitely a bug with this theme.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Bug in Custom CSS Option’ is closed to new replies.

2 replies
2 participants
Last reply from: CrouchingBruin
Last activity: 10 years, 9 months ago
Status: not resolved