Here you can find the backport for 3.10 so extension developers can use the same validation rule in 3.10 and 4.0: #29109

Since the JSST decided this can be publicly patched, a proof of concept of the issue should be included in the form of automated tests which can validate the rule is actually blocking the input that you want removed.

Since the JSST decided this can be publicly patched, a proof of concept of the issue should be included in the form of automated tests which can validate the rule is actually blocking the input that you want removed.

Sure here an example for fields:

You know I'm not good with unit tests but I'm happy to add one when you help me to get it right.

@zero-24 As discussed.
A validation rule which blocks things like 1st, 2nd, -1st, -2nd in CSS classes will certainly mean that sites need to change there classes. I have never seen the use of -- it doesn't mean it isn't used.

Thanks. just added a to-do item above to adjust the rule to allow that.

I have never seen the use of -- it doesn't mean it isn't used.

It's a pattern from the BEM CSS structure, it's just one way (of literally dozens) that someone can use to describe things in their CSS. One of the things I like about it is that it promotes class structures in a way where you aren't writing a lot of nested CSS, you're only going a couple levels deep usually.

As an example, on my site I have a container with the class of open-source-package open-source-package--has-logo open-source-package--has-topics open-source-package--abandoned where open-source-package is the base name of that block of code then open-source-package--has-logo is a modifier that says that the block contains an optional logo (which impacts the CSS Grid layout for that block) or open-source-package--abandoned being a modifier that says the block contains an abandoned package (right now unused but I could do a grayscale effect or something based on that class being present). It's not much different than Bootstrap's use of alert alert-success as an example, just a different set of characters between segments.

OK that will add that to the list above. Thanks for the feedback ?

To get a better picture of the values used @chmst cam up with a simple SQL Command

SELECT params FROM `#__modules` WHERE `params` like "%moduleclass_sfx%"

Would be awesome to get some samples for heavy sites so we can make sure the values still passes.You can send them to tobias.zulauf[at]community.joomla.org.

That would be interesting but not foolproof. Instead of whitelisting shouldnt you just be blacklisting the characters that are illegal for a css class and that can be used for xss

That would be interesting but not foolproof. Instead of whitelisting shouldnt you just be blacklisting the characters that are illegal for a css class and that can be used for xss

I have to disagree here. There are requirements for css classes. So a validation rule for css classes should make sure only that is passed. this is what an validation rule is about.
as the validation rule here is not only against xss and also we can make sure it does not break the markup etc.

To not break the other valid use cases i asked to provide them to us so we can make sure they still passes the rules.

The main problem with xss and blocklists is the following:

• browsers have to do wierd stuff to not break the internet
• there are a ton of unicode caracters that can be interpreted as " for example.

Here because of the limited use case i think a whitelist should be the best aproache to the issue. So please share your usecases so we can makre sure we make it work :)

AS you correctly point out there are rules

https://www.w3.org/TR/CSS22/grammar.html

AS you correctly point out there are rules

yes and here we have the special case of the fist beeing a suffx so we need to take care of that too.

With apply a PR and create a Breadcrumbs module with Pippo class
Click Save & Close and I've this error

What error do you get?

What is a pippo class?

Just to mention some recent CSS frameworks have started using colon punctuation in their class names... eg. sm:justify-center

I've insert the name of CSS class in advanced -> Header Class, but only the name not other.

The error is number 0

Great thanks @ciar4n

I can not follow you @adj9 please post the value you added to the field.

Error code 0 seems to be something else. Maybe a screenshot helps?

@zero-24 I just got the same error as @adj9 after using com_patchtester. Closer inspection showed that com_pathctester failed to copy the php file - just the xml

I have tested this item ? unsuccessfully on b48edbe

After successfully applying the patch and then entering an invalid class and then save or save and close I would expect not to get

The invalid class is not saved but the user would not know that. Usually there would be a message indicating the invalid field and that would prevent save or save and close

I have just looked into the issues mention here.

After successfully applying the patch and then entering an invalid class and then save or save and close I would expect not to get

Can you please point me too the exact place where you entered the value and what value you used?

I can not confirm this issue and get this warning message when i enter an invalid class name:

Maybe I missed one place that need I need to add the new validation rule?

@zero-24 I just got the same error as @adj9 after using com_patchtester. Closer inspection showed that com_pathctester failed to copy the php file - just the xml

Hmm @roland-d can you take a look into that when you get a minute it does not make sense to me as there is nothing special done here that could confuse the PatchTester right?

Updates

With the latest commit we now don't enforce the second rule (Identifiers cannot start with a digit, two hyphens, or a hyphen followed by a digit.) any more for the suffixes but only to the full identifier.

That fixes the following todos mention above:

Allow -1st -2st for the first value of that field
Allow --whatever for the first value of that field
Make sure the BEM CSS (http://getbem.com/naming/) structure is still supported.

allow sm:justify-center

U+003A has been added to the whitelist. thanks @ciar4n

add an extra check for value 0 as that is a not allowed a 0 without an leading space is allowed.

Added thanks @mvanvu

Thanks @coolcat-creations for your database dump. I have checked them and can confirm all of them still work now as in 3.x.

Thanks.

Ok found the reason. When you use <module> it is filtered already before it lands at the validation rule. And as this field is not required but the value is empty at that point the validation rule passes.

Any other feedback or tests on this thing? Would be awesome to move this forward.

I have tested with many strings - here module breadcrumbs

Module class:
<?php echo 'huhu'; ?> was removed on save. But I got no message - onyl the "module saved"
<?php echo 'hu was changed to ?php echo 'hu .. But I got no message - onyl the "module saved"

Header Class:
<?php echo 'hu' - Warning: Invalid Field: Header class
<?php echo 'huhu'; ?> - is removed, the module is saved without warning

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29108.}

All of that should have been filtered before that validation rule kicks in even right now. Can you double check that @chmst ?

I have not tested this item.

Add a class in a new module using a field Header Class (in advanced layer), click Save & Close and I've error 0:

Hi i can not reproduce the issue can you please try a new install of the complete branch?

conflicts solved.

@adj9 It is an issue with Patch Tester not patching correctly. Try the package installer with this PR:

https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/29108/downloads/33392/

@HLeithner The packages are not available, I get a 404. Can you have a look there?

PR is too old and packages got deleted already I restarted drone to get new one

I updated the branch this does not trigger drone to rebuild it?

Branch has been updated and packages should been rebuild now.

yes and here we have the special case of the fist beeing a suffx so we need to take care of that too.

We're no longer a suffix in J4 - it's just extra class

I can not follow you? So do you want me to do changes here or is this good to go?

Any follow up here @wilsonge so we can move this PR forward to be shipped?

I have tested this item ? unsuccessfully on 21c4b5c

When saving modules you get the following error message:

An error has occurred.

0 Joomla\CMS\Form\Field\TextareaField::validate() rule CssIdentifier missing.

0 Joomla\CMS\Form\Field\TextareaField::validate() rule CssIdentifier missing.

hmm can you confirm that the file is created after you applyed the changes or is it only issuing that error on the modules page?

We're no longer a suffix in J4 - it's just extra class

Ah ok got the point I have now removed that special handling. So this is good to go.

I have tested this item ✅ successfully on 1136c73

After another test using a special Joomla! update package, it now works as it should.

I have tested this item ✅ successfully on 1136c73

it works now as expected ?

Thanks RTC.

Thanks RTC.