Style Engine: Include 6.1 CSS filter, ensure style engine can output CSS functions like clamp#43004
Conversation
andrewserong
added
[Package] Style Engine
| // Allow a controlled set of `display` values. | ||
| if ( | ||
| 'display' === $property && | ||
| in_array( $value, array( 'block', 'inline', 'inline-block', 'flex', 'inline-flex', 'grid', 'inline-grid' ), true ) |
There was a problem hiding this comment.
Any reason why we couldn't add a $attrs[] = 'display'; entry to gutenberg_safe_style_attrs_6_1() in lib/compat/wordpress-6.1/blocks.php?
If we're not confident that a core patch for display will be in before 6.1 maybe add another safe_style_css filter?
There was a problem hiding this comment.
Over in WordPress/wordpress-develop#2928 (comment) we discussed the issue with display: none, in that we still want that value to be excluded, but to allow the remaining display values.
Currently in the Layout output of the Theme JSON class we have special handling for display here: https://github.com/WordPress/gutenberg/blob/trunk/lib/compat/wordpress-6.1/class-wp-theme-json-6-1.php#L1370
For the purposes of this PR, we could always remove the display handling, since we're not yet using the style engine for global styles, and defer the issue to later.
I think the question comes down to — should WordPress in general allow display with a set number of values, or is it that the Layout / theme.json might need it for a particular use case, but it shouldn't otherwise be more broadly exposed.
There was a problem hiding this comment.
All that said, in principle, I really like the idea that the style engine could "just work" and outsource CSS validation / sanitization to core functions and filters 🤔
There was a problem hiding this comment.
we discussed the issue with display: none, in that we still want that value to be excluded
I've left a comment over in that discussion. It would be good to validate that claim.
For the purposes of this PR, we could always remove the display handling, since we're not yet using the style engine for global styles, and defer the issue to later.
I always say "if in doubt, chuck it out" 😄
If we're not using it, is there any benefit to having it right now or for 6.1?
Or could this be resolved in the core patch?
I think the question comes down to — should WordPress in general allow display with a set number of values, or is it that the Layout / theme.json might need it for a particular use case, but it shouldn't otherwise be more broadly exposed.
Yeah for sure. Do you think it'd be helpful to ask a wider audience before committing here?
There was a problem hiding this comment.
I always say "if in doubt, chuck it out" 😄
If we're not using it, is there any benefit to having it right now or for 6.1?
Great point. For the scope of this PR, we only need to resolve the issue reported in #42948, as display is still handled in the Theme JSON class. Let's avoid dealing with display in this PR until we need to refactor the centralised Layout output.
I've removed the display handling in: b7261d8
|
This is looking good to me. I think having filters doing the temporary workarounds is a nice way to be explicit about things, and probably easier to remove/extract during migrations. I just had a question as to whether we could move the checks for Also, using the code that'll be closer to what core will have. I tested by running some of the target properties and values through: max-width: clamp(36.00rem, calc(32.00rem + 10.00vw), 40.00rem);
max-width: min(calc(3 * 10.00vw));
max-width: max(calc(3 * 10.00vw));
max-width: minmax(20px, auto) 1fr 1fr);.wp-testing-display-properties-block {
display: block;
}
.wp-testing-display-properties-inline {
display: inline;
}
.wp-testing-display-properties-inline-block {
display: inline-block;
}
.wp-testing-display-properties-flex {
display: flex;
}
.wp-testing-display-properties-inline-flex {
display: inline-flex;
}
.wp-testing-display-properties-grid {
display: grid;
}
.wp-testing-display-properties-inline-grid {
display: inline-grid;
} |
ramonjd
left a comment
ramonjd
left a comment
There was a problem hiding this comment.
Can confirm that display is not longer supported.
Looks like a good approach to me. Keeps the style engine clean, and has a clear path to migration.
Thanks for the tests.
| foreach ( $declarations_array as $property => $value ) { | ||
| $spacer = $should_prettify ? ' ' : ''; | ||
| $filtered_declaration = esc_html( safecss_filter_attr( "{$property}:{$spacer}{$value}" ) ); | ||
| $filtered_declaration = esc_html( static::filter_declaration( $property, $value, $spacer ) ); |
There was a problem hiding this comment.
For a follow up: could we abstract all sanitization and move the esc_html too?
There was a problem hiding this comment.
Good question — depending on the output context, I wasn't too sure if esc_html() is always desired so left it inline for the time being. Happy to play around with it in a follow-up if this PR looks viable (I'd like to better understand when and why we need to escape the html characters, too — I can imagine some circumstances, but I don't feel I fully get it yet 🙂).
There was a problem hiding this comment.
I think this is worth investigating separately. The safecss_filter_attr is probably enough here.
Looking at other usages of safecss_filter_attr in the plugin, I don't see any of them wrapped in the esc_* method.
There was a problem hiding this comment.
could we abstract all sanitization and move the esc_html too?
esc_html causes issues with values that contain quotes - like for example URLs in background:url("example.com/image.jpg"). That's why over in #42968 I was introducing a sanitize_value method 😉
There was a problem hiding this comment.
I did some tests, and now I'm 99% sure we don't need esc_html here.
Sorry for the ping, @peterwilsoncc. Can you confirm that values returned by safecss_filter_attr don't need escaping?
$value = safecss_filter_attr( $css );
// VS
$value = esc_html( safecss_filter_attr( $css ) );There was a problem hiding this comment.
I think we can just remove esc_html
It's not used anywhere in Core when printing CSS, and the safecss call takes care of most (all?) cases I can think of that could potentially cause issues.
There was a problem hiding this comment.
Thanks for the discussion, folks! I've updated this PR to remove the call to esc_html and updated the tests accordingly.
|
There're new flaky test reports 43007...43011. Let's double check code for 500 errors and close those. |
There was a problem hiding this comment.
I've changed this one to be a value that safecss_filter_attr strips, instead, since this PR now removes the call to esc_html so we no longer need to test whether or not HTML characters will be escaped.
Thanks for the heads-up @Mamaduka, these 500 errors occurred while wordpress.org was down, so it was most likely caused by failures fetching from there. I'll close out those issues. |
andrewserong
force-pushed
the
try/allow-css-functions-and-var-fallback
branch
from
62444ec to
45f4c41
Compare
|
I think this one's ready now for a final review. @aristath, @Mamaduka and @ramonjd are there any objections to proceeding with this approach? I don't mind too much whether we go with this PR or another one, but it'd be great to try to get a fix merged before the 13.9 RC gets pushed tomorrow if we can. |
|
LGTM 👍 Retested. The CSS functions are coming through as expected <style id='block-supports-inline-css'>
.barnacle-bill {
max-width: clamp(36.00rem, calc(32.00rem + 10.00vw), 40.00rem);
}
.barnacle-bob {
font-size: min(calc(3 * 10.00vw));
}
.barnacle-barry {
height: max(calc(3 * 10.00vw));
}
.barnacle-brad {
padding: minmax(20px, auto) 1fr 1fr);
}
</style> |
|
Thanks for landing this, folks! @andrewserong, do you mind leaving a comment on https://core.trac.wordpress.org/ticket/55966, saying that we adopted regex from the patch? It might help move the ticket forward for committing. |
|
Good idea! I've added a comment in https://core.trac.wordpress.org/ticket/55966#comment:6 |
4 participants
What?
Fixes #42948
A potential alternative to #42968, exploring @Mamaduka's idea from #42968 (comment)
The idea here is that to resolve the issue of the style engine stripping values that use
clamp()we can roll out the proposed updated regex for filtering values from the Trac ticket: https://core.trac.wordpress.org/ticket/55966.Why?
The idea behind this PR is that the style engine shouldn't have to be doing too much of its own work to determine whether or not a rule is valid. I've added an additional function just in case we need to add further special handling down the track (for display, perhaps?), but for now we're still deferring to
safecss_filter_attr.How?
safecss_filter_attr_allow_cssthat uses the proposed regex from https://core.trac.wordpress.org/ticket/55966 (the changes are viewable in this diff: https://core.trac.wordpress.org/attachment/ticket/55966/55966.2.diff)safecss_filter_attrTesting Instructions
clamp()values