Boost: stop stripping SVG markup from Critical CSS while keeping style-tag breakout protection

[kraftbj]

Fixes #42321

Proposed changes

• Stop running wp_strip_all_tags() on Critical CSS when printing it into the front-end <style id="jetpack-boost-critical-css"> block; it corrupted valid CSS values containing markup, e.g. background-image: url("data:image/svg+xml,<svg ...></svg>").
• Replace it with a targeted sanitizer (Display_Critical_CSS::sanitize_css()) that neutralizes only the sequence that can terminate a <style> element early: any case-insensitive </style becomes <\/style (\/ is a valid CSS escape for / inside strings/url() tokens, so legitimate CSS keeps its meaning). The insertion-only rewrite cannot recreate </style, including via nested tricks like <</style/style — covered by tests. Style-tag breakout/XSS remains impossible.
• Apply the same treatment in the Critical CSS proxy (boost_proxy_css admin-ajax endpoint), which previously stripped SVG markup out of external source stylesheets before the generator ever saw them — meaning corrupted CSS was generated and persisted even before display-time stripping. Also adds X-Content-Type-Options: nosniff to the proxy response.
• Finding on the issue's second hypothesis (double quotes stripped on DB save): the storage/ingestion path (Critical_CSS_Storage / Storage_Post_Type / Set_Provider_CSS / Cloud CSS endpoint) contains no quote-stripping — CSS is base64-encoded before wp_insert_post, so quotes already survive persistence. Rather than changing code that wasn't broken, new round-trip regression tests lock that behavior in.
• Adds PHPUnit coverage: SVG data-URIs and double quotes survive display output; </style> injection (any case) is still neutralized; quotes and SVG markup survive a store/load round-trip.

Note for reviewers: this intentionally changes security-relevant sanitization (blanket tag-stripping → targeted </style neutralization). Please give the escaping approach in sanitize_css() a close look.

Related product discussion/links

• Part of a Boost P0 reliability pass (audit follow-up); sibling PRs: Boost: keep position-dependent inline scripts (document.write) in place when Defer JS is enabled #49545 (Defer JS document.write) and Boost: fully remove boost-cache directory on uninstall and make cleanup resilient on very large caches #49546 (Page Cache uninstall cleanup).

Does this pull request change what data or activity we track or use?

No.

Testing instructions

1. Add this to your theme's stylesheet, plus a matching <div class="test-svg-background"></div> near the top of the header template so it's above the fold:

   .test-svg-background {
       width: 200px;
       height: 200px;
       background-image: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'><circle cx='4' cy='4' r='4' fill='%23f00'/></svg>");
   }

2. In Jetpack Boost, enable Optimize Critical CSS Loading and generate Critical CSS.
3. View the front-end source and inspect <style id="jetpack-boost-critical-css">:
   • Before: the rule appears as url("data:image/svg+xml,") (SVG stripped) and the red circle is missing.
   • After: the full SVG data-URI, including its quotes, is intact and the red circle renders before stylesheets load (throttle the network to confirm).
4. Security check: store CSS containing </style><script>alert(1)</script> (via the same flow, or by editing the stored provider CSS) and confirm the printed block contains <\/style> instead, the style element is not terminated early, and no script executes.
5. Tests: cd projects/plugins/boost && vendor/bin/phpunit-select-config phpunit.#.xml.dist --bootstrap tests/bootstrap.php --testsuite with-wordpress --filter "Display_Critical_CSS_Test|Critical_CSS_Storage_Test" (16 tests, 48 assertions passing; unit suite also green at 114 tests. The with-wordpress suite has 2 pre-existing Jetpack_Boost_Test errors reproducible on clean trunk in this environment, unrelated to this change).

https://claude.ai/code/session_01PgpTrtTCH4hpz6Krh3ssho

---

Generated by Claude Code

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Boost plugin:

No scheduled milestone found for this plugin.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 4 files.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/boost/app/modules/optimizations/critical-css/class-css-proxy.php	0/37 (0.00%)	0.00%	3 ❤️‍🩹
projects/plugins/boost/app/lib/critical-css/class-display-critical-css.php	28/30 (93.33%)	0.23%	0 💚
projects/plugins/boost/app/lib/critical-css/class-critical-css-storage.php	14/16 (87.50%)	81.25%	-13 💚
projects/plugins/boost/app/lib/class-storage-post-type.php	60/112 (53.57%)	39.29%	-44 💚

Full summary · PHP report · JS report

[Copilot]

Pull request overview

This PR updates Jetpack Boost’s Critical CSS handling to preserve valid CSS values containing inline SVG markup/data URIs and double quotes, while still preventing <style>-tag breakout by neutralizing </style sequences. It also aligns the Critical CSS proxy endpoint with the same sanitization approach and adds regression coverage for both display-time output and storage round-trips.

Changes:

• Replace blanket tag stripping with targeted </style neutralization via Display_Critical_CSS::sanitize_css() for inline Critical CSS output.
• Apply the same sanitization to the boost_proxy_css admin-ajax CSS proxy response and add X-Content-Type-Options: nosniff.
• Add PHPUnit coverage for style-breakout neutralization, SVG data-URI preservation, quote preservation, and storage round-trips; register the new tests in PHPUnit suites and add a changelog entry.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
projects/plugins/boost/app/lib/critical-css/class-display-critical-css.php	Switches Critical CSS output sanitization from tag stripping to targeted </style neutralization via sanitize_css().
projects/plugins/boost/app/modules/optimizations/critical-css/class-css-proxy.php	Updates proxy response headers and sanitization approach for proxied CSS content.
projects/plugins/boost/tests/php/lib/critical-css/Display_Critical_CSS_Test.php	Replaces “strip HTML” expectations with explicit style-breakout neutralization tests; adds SVG/quote preservation assertions.
projects/plugins/boost/tests/php/lib/critical-css/Critical_CSS_Storage_Test.php	Adds new tests to lock in storage round-trip preservation of SVG markup and quotes.
projects/plugins/boost/phpunit.9.xml.dist	Registers the new storage test under the with-wordpress suite and excludes it from unit.
projects/plugins/boost/phpunit.11.xml.dist	Registers the new storage test under the with-wordpress suite and excludes it from unit.
projects/plugins/boost/changelog/fix-critical-css-svg-stripping	Adds a patch/fixed changelog entry describing the behavior change.