public static function sanitize_css($css, $args = array())
{
$args = wp_parse_args($args, array('force' => false, 'preprocessor' => null));
if ($args['force'] || !current_user_can('unfiltered_html')) {
$warnings = array();
safecss_class();
$csstidy = new csstidy();
$csstidy->optimise = new safecss($csstidy);
$csstidy->set_cfg('remove_bslash', false);
$csstidy->set_cfg('compress_colors', false);
$csstidy->set_cfg('compress_font-weight', false);
$csstidy->set_cfg('optimise_shorthands', 0);
$csstidy->set_cfg('remove_last_;', false);
$csstidy->set_cfg('case_properties', false);
$csstidy->set_cfg('discard_invalid_properties', true);
$csstidy->set_cfg('css_level', 'CSS3.0');
$csstidy->set_cfg('preserve_css', true);
$csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl');
$prev = $css;
$css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $css);
// prevent content: '\3434' from turning into '\\3434'.
$css = str_replace(array('\'\\\\', '"\\\\'), array('\'\\', '"\\'), $css);
if ($css !== $prev) {
$warnings[] = 'preg_replace found stuff';
}
// Some people put weird stuff in their CSS, KSES tends to be greedy.
$css = str_replace('<=', '<=', $css);
$prev = $css;
// Why KSES instead of strip_tags? Who knows?
$css = wp_kses_split($css, array(), array());
$css = str_replace('>', '>', $css);
// kses replaces lone '>' with >
// Why both KSES and strip_tags? Because we just added some '>'.
$css = strip_tags($css);
if ($css != $prev) {
$warnings[] = 'kses found stuff';
}
// if we're not using a preprocessor.
if (!$args['preprocessor']) {
/** This action is documented in modules/custom-css/custom-css.php */
do_action('safecss_parse_pre', $csstidy, $css, $args);
$csstidy->parse($css);
/** This action is documented in modules/custom-css/custom-css.php */
do_action('safecss_parse_post', $csstidy, $warnings, $args);
$css = $csstidy->print->plain();
}
}
return $css;
}
