ccss with content="" breaks something?
Closed this issue · 10 comments
something breaks the CCSS when it sees content:"" but if it's content:" " (with a space between quotes) it doesn't break. That's how I solved the issue on this website, but it seems like an urgent bug to me.
Let me know if you find that this comes from criticalcss.com or the plugin itself. I will take a look this weekend.
as reported by @barisunver by the way.
Baris, this happens for the "default CSS", right? have you seen this happen for AUTO-created rules as well, or not?
Testing, not reproduced (yet);
as reported by @barisunver by the way.
Baris, this happens for the "default CSS", right? have you seen this happen for AUTO-created rules as well, or not?
@futtta yeah, I saw it in the default CCSS textarea (in different sites). I'll keep looking for more instances of the issue. In the meantime, have you checked all your sanitization functions?
well, that's just it; there is no sanitization for default CCSS @barisunver
@futtta wait, so if someone were to put some JavaScript or PHP in that box...?
great feedback from @barisunver ;
Okay, I'll get right to it:
- Install Autoptimize and the powerup, and activate both.
- Go to criticalcss.com and have a critical CSS with some content:"" code in it (example css attached).
- Configure AO's CSS opt. settings and paste the critical CSS first.
- Go to the Critical CSS tab, and then you'll see that part of the critical CSS appears out of nowhere. Inspecting the element reveals that a hidden input that contains the critical CSS pasted on step 3 isn't sanitized, thus breaks the HTML (because <input type="hidden" value="content:" ";" />).
- Save the API key as intended.
See the criticalCSS is cut right after the first content: because the rest were outside the hidden input's value.Fix: Sanitize all inputs (especially that hidden input) and all textareas.
This fixes it for me, could you re-test with this fix/ commit @barisunver ?
@futtta looks fine to me :)