From ade3b6d94685fdb0dda2dc55f5c7a2cde44ce646 Mon Sep 17 00:00:00 2001
From: Mike Letellier <mike@crabcyb.org>
Date: Thu, 21 Nov 2024 16:58:02 -0400
Subject: [PATCH] Strip unexpected characters from CSS output var names

---
 classes/helpers/FrmStylesHelper.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php
index c6b9c72a1b..997b486a48 100644
--- a/classes/helpers/FrmStylesHelper.php
+++ b/classes/helpers/FrmStylesHelper.php
@@ -445,11 +445,21 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra
 			}
 			$show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] );
 			if ( $show ) {
-				echo '--' . esc_html( str_replace( '_', '-', $var ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 		}
 	}
 
+	/**
+	 * Remove anything that isn't used as a CSS variable name.
+	 *
+	 * @param string $var_name
+	 * @return string
+	 */
+	private static function clean_var_name( $var_name ) {
+		return preg_replace( '/[^a-zA-Z0-9_-]/', '', $var_name );
+	}
+
 	/**
 	 * Prepare the value for a CSS variable.
 	 *