[csswg-drafts] [css-variables] custom property names too permissive, require namespacing rules (#7129) from Addison Phillips via GitHub on 2022-03-10 (public-css-archive@w3.org from March 2022)

From: Addison Phillips via GitHub <sysbot+gh@w3.org>
Date: Thu, 10 Mar 2022 17:32:10 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-1165519237-1646933528-sysbot+gh@w3.org>

aphillips has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-variables] custom property names too permissive, require namespacing rules ==
https://www.w3.org/TR/css-variables-1/#defining-variables

> A custom property is any property whose name starts with two dashes (U+002D HYPHEN-MINUS), like [--foo](). The <custom-property-name> production corresponds to this: it’s defined as any [<dashed-ident>](https://www.w3.org/TR/css-values-4/#typedef-dashed-ident) (a valid [identifier](https://www.w3.org/TR/css-syntax-3/#identifier) that starts with two dashes), except -- itself, which is reserved for future use by CSS. [Custom properties](https://www.w3.org/TR/css-variables-1/#custom-property) are solely for use by authors and users; CSS will never give them a meaning beyond what is presented here.

The above text defines the custom property name as "any valid identifier". Tracing that definition back to [CSS Values](https://www.w3.org/TR/css-values-4/#typedef-dashed-ident) and thence to [`ident token`](https://www.w3.org/TR/css-syntax-3/#typedef-ident-token), we find that the name can contain ***any*** Unicode code point > U+0080. This includes various special forms of whitespace as well as potential problem characters, such as bidi controls (such as might cause "Trojan Source" attacks). Namespacing is definitely a complicated problem: the I18N WG doesn't want groups to cherry-pick characters (thereby excluding certain languages from using the feature).

Most programming languages attempt to address this by adopting some form of restriction for variable names such as those found in [UAX31](https://unicode.org/reports/tr31/) _Unicode Identifier and Pattern Syntax_. In JavaScript, for example, the definition looks like the one found [here](http://es5.github.io/x7.html#x7.6). CSS should make similar restrictions on property _names_ (values can remain unrestricted). 


Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7129 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 March 2022 17:32:12 UTC