Copying https://bugzilla.mozilla.org/show_bug.cgi?id=1623650#c1 here: On my end I need to: * reproduce and confirm the issue * make sure we recommend users don't pass unbounded strings * look into tweaking guantlet regex as Matt suggests > my first choice/suggestion would be to not use regular expressions for sanitization Absolutely, we've had a number of bugs around sanitizing CSS and filtering styles, so ideally we could switch to a different or better CSS parser: * tinycss for a pure python implementation (with optional cython) https://github.com/mozilla/bleach/issues/248 * something battle-tested from Firefox/servo w/ python bindings e.g. https://github.com/servo/rust-cssparser
Bug 1623633 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Copying https://bugzilla.mozilla.org/show_bug.cgi?id=1623650#c1 here: On my end I need to: * reproduce and confirm the issue (ideally for multiple versions) * make sure we recommend users don't pass unbounded strings * look into tweaking guantlet regex as Matt suggests > my first choice/suggestion would be to not use regular expressions for sanitization Absolutely, we've had a number of bugs around sanitizing CSS and filtering styles, so ideally we could switch to a different or better CSS parser: * tinycss for a pure python implementation (with optional cython) https://github.com/mozilla/bleach/issues/248 * something battle-tested from Firefox/servo w/ python bindings e.g. https://github.com/servo/rust-cssparser
Copying https://bugzilla.mozilla.org/show_bug.cgi?id=1623650#c1 here: On my end I need to: * reproduce and confirm the issue (ideally for multiple versions but it should be anything with that regex in it) * make sure we recommend users don't pass unbounded strings * look into tweaking guantlet regex as Matt suggests > my first choice/suggestion would be to not use regular expressions for sanitization Absolutely, we've had a number of bugs around sanitizing CSS and filtering styles, so ideally we could switch to a different or better CSS parser: * tinycss for a pure python implementation (with optional cython) https://github.com/mozilla/bleach/issues/248 * something battle-tested from Firefox/servo w/ python bindings e.g. https://github.com/servo/rust-cssparser