From b65fba97421ea2847df8f91c62ff53436456d57a Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Thu, 8 Sep 2022 13:26:14 +0000
Subject: [PATCH] KSES: Allow `min()`, `max()`, `minmax()`, and `clamp()`
 values to be used in inline CSS.

Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.

Follow-up to [50923].

Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes #55966.
Built from https://develop.svn.wordpress.org/trunk@54100


git-svn-id: http://core.svn.wordpress.org/trunk@53659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/kses.php    | 21 +++++++++++++++------
 wp-includes/version.php |  2 +-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/wp-includes/kses.php b/wp-includes/kses.php
index b32df1beaa..6308773c95 100644
--- a/wp-includes/kses.php
+++ b/wp-includes/kses.php
@@ -2228,6 +2228,8 @@ function kses_init() {
  * @since 5.3.1 Added support for gradient backgrounds.
  * @since 5.7.1 Added support for `object-position`.
  * @since 5.8.0 Added support for `calc()` and `var()` values.
+ * @since 6.1.0 Added support for `min()`, `max()`, `minmax()`, `clamp()`,
+ *              and nested `var()` values.
  *
  * @param string $css        A string of CSS rules.
  * @param string $deprecated Not used.
@@ -2467,13 +2469,20 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 		}
 
 		if ( $found ) {
-			// Allow CSS calc().
-			$css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
-			// Allow CSS var().
-			$css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
+			/*
+			 * Allow CSS functions like var(), calc(), etc. by removing them from the test string.
+			 * Nested functions and parentheses are also removed, so long as the parentheses are balanced.
+			 */
+			$css_test_string = preg_replace(
+				'/\b(?:var|calc|min|max|minmax|clamp)(\((?:[^()]|(?1))*\))/',
+				'',
+				$css_test_string
+			);
 
-			// Check for any CSS containing \ ( & } = or comments,
-			// except for url(), calc(), or var() usage checked above.
+			/*
+			 * Disallow CSS containing \ ( & } = or comments, except for within url(), var(), calc(), etc.
+			 * which were removed from the test string above.
+			 */
 			$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
 
 			/**
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 033bef0eba..3c93e89a53 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.1-alpha-54099';
+$wp_version = '6.1-alpha-54100';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.