Skip to Content Skip to Navigation

…aaaand I broke it ;)

Custom CSS does not work when using quotes, e.g. in `font-family: "Foo Bar"`. Django escapes too aggressively.

2012 post on says: “Use |striptags|safe”

Current docs say: “Warning: Never use |striptags|safe — use bleach.clean()”

Bleach docs: “clean() is not safe to use in CSS context.”

🐇 rabbit hole

(Just not using quotes in CSS works ;)

Edited 69d ago

@fabian Noted! I'm sure we can fix that:

@takahe Yeah, there is probably a fix. I'm just too lazy to set up a dev env right now. But it seems at least it's not as easy as a „five char fix“ (`|safe`) *shrug*

@fabian Well given that the CSS only ever shows on your own pages, the security risk of doing safe is a lot less than it first seems.