Do not output invalid css vars

[Crabcyborg]

Related ticket https://secure.helpscout.net/conversation/2873552726/224955

This update adds some additional validation before adding CSS vars.

I also noticed that the use_base_font_size setting is here, when it isn't used as a CSS var.

Confirmed by customer

[coderabbitai]

Walkthrough

The changes update the output_vars method in the FrmStylesHelper class to incorporate enhanced CSS variable validation. The update adds 'use_base_font_size' to the exclusion list and integrates two new private methods, css_key_is_valid and css_value_is_valid, which check that CSS keys and values adhere to specified rules. This additional validation ensures that keys do not exceed a defined length or contain invalid characters, and that values are free from potentially harmful JavaScript code before generating the CSS output.

Changes

File	Change Summary
classes/helpers/FrmStylesHelper.php	Updated output_vars to add enhanced CSS validation; added 'use_base_font_size' to the exclusion array; added private methods css_key_is_valid and css_value_is_valid for validating CSS keys and values.

Sequence Diagram(s)

sequenceDiagram
    participant C as Client
    participant O as output_vars
    participant K as css_key_is_valid
    participant V as css_value_is_valid

    C->>O: Request CSS output generation
    O->>K: Validate CSS key
    K-->>O: Return key validation result
    O->>V: Validate CSS value
    V-->>O: Return value validation result
    O-->>C: Return processed CSS output

Loading

Possibly related PRs

• Strategy11/formidable-forms#2135: Introduces a new method for sanitizing variable names in the output_vars method, showing direct code-level relationships with this PR.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d464d52 and d337d9d.

⛔ Files ignored due to path filters (1)

• phpcs.xml is excluded by !**/*.xml

📒 Files selected for processing (1)

• classes/helpers/FrmStylesHelper.php (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Cypress

🔇 Additional comments (5)

classes/helpers/FrmStylesHelper.php (5)

436-436: Good addition of 'use_base_font_size' to exclusion list.

The addition of 'use_base_font_size' to the exclusion list prevents it from being output as a CSS variable, which is appropriate since it serves as a control variable rather than an actual CSS property.

---

440-440: Enhanced security by validating CSS keys.

Adding the CSS key validation check is a good security improvement that prevents potentially malicious CSS keys from being processed.

---

447-447: Improved security by validating CSS values.

Adding value validation prevents potentially harmful JavaScript code from being injected through CSS values, which is an excellent security enhancement.

---

453-465: Good implementation of key validation.

The css_key_is_valid function effectively validates CSS keys by checking both length limits and the absence of potentially dangerous characters like curly braces.

---

467-495: Excellent security enhancement for CSS value validation.

The implementation of css_value_is_valid provides robust protection against JavaScript injection by checking for suspicious substrings that shouldn't be present in legitimate CSS values.

This function effectively prevents CSS-based attacks that attempt to inject JavaScript, protecting against potential XSS vulnerabilities.

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

classes/helpers/FrmStylesHelper.php (1)

467-495: Good security practice for preventing potential JS injection.

This method enhances security by checking CSS values for potentially harmful JavaScript code patterns. The implementation is concise and effective at blocking common attack vectors.

However, consider using a more comprehensive approach in the future:

1. You could consider using a regular expression to match a broader range of JavaScript-like patterns
2. Consider adding more patterns like eval(, document., etc. to the invalid substrings list
3. For increased maintainability, you might want to add comments explaining why each pattern is considered harmful

Example of additional patterns to consider:

$invalid_substrings = array(
    'function(',
    ';userAgent',
    ';stopPropagation',
    '{const',
    'window[',
    'navigator[',
    'Array;',
    'eval(', // Prevents eval execution
    'document.', // Prevents DOM access
    'setTimeout(', // Prevents timing attacks
    'setInterval(', // Prevents timing attacks
);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 494ff45 and d464d52.

📒 Files selected for processing (1)

• classes/helpers/FrmStylesHelper.php (1 hunks)

🧰 Additional context used

🪛 GitHub Check: Spell Check with Typos

classes/helpers/FrmStylesHelper.php

[warning] 462-462:
"abnormaly" should be "abnormally".

🪛 GitHub Actions: Typo Checks

classes/helpers/FrmStylesHelper.php

[warning] 462-462: "abnormaly" should be "abnormally".

---

[error] 462-462: Process completed with exit code 2.

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: PHP 8 tests in WP trunk
• GitHub Check: PHP 7.4 tests in WP trunk
• GitHub Check: Cypress
• GitHub Check: Cypress
• GitHub Check: PHP 7.4 tests in WP trunk

🔇 Additional comments (3)

classes/helpers/FrmStylesHelper.php (3)

436-436: LGTM: Added 'use_base_font_size' to the excluded variables list.

The addition of 'use_base_font_size' to the $remove array ensures this variable won't be output as a CSS variable, which is appropriate since it's used for internal logic rather than styling.

---

440-440: Enhanced validation for CSS variable keys.

The addition of self::css_key_is_valid($var) check helps prevent potentially invalid CSS keys from being output, improving security.

---

447-447: Added CSS value validation to prevent harmful code.

The addition of self::css_value_is_valid($settings[$var]) check helps prevent potentially harmful JavaScript code from being output as CSS values, enhancing security.