pub fn sanitize_custom_css(css: &str) -> StringExpand description
Defence-in-depth scrub for user-supplied CSS. Even with a strict CSP in place we belt-and-braces:
- drop
@importrules entirely (they could pull in further styles that we don’t want to audit, and CSP-bypass via stylesheet chains has historically been a footgun); - strip the legacy IE
expression(...)construct, which old WebKit forks have re-introduced for compatibility.
Comments are normalised first so the patterns can’t be hidden behind
/* */ splits. Operates on &str throughout — bytes-indexing
would mojibake non-ASCII content like content: "→".