takahe.social
…aaaand I broke it ;)
Custom CSS does not work when using quotes, e.g. in `font-family: "Foo Bar"`. Django escapes too aggressively.
2012 post on #StackOverflow says: “Use |striptags|safe”
Current #Django docs say: “Warning: Never use |striptags|safe — use bleach.clean()”
Bleach docs: “clean() is not safe to use in CSS context.”
🐇 rabbit hole
(Just not using quotes in CSS works ;)
@fabian Noted! I'm sure we can fix that: github.com/jointakahe/takahe/i
@takahe Yeah, there is probably a fix. I'm just too lazy to set up a dev env right now. But it seems at least it's not as easy as a „five char fix“ (`|safe`) *shrug*
@fabian Well given that the CSS only ever shows on your own pages, the security risk of doing safe is a lot less than it first seems.
