I have a string that comes from the user and then is inserted into a large CSS block using a CSS parser.
CSS escaping can be done using \C (where C is a character), \HexOfC (with a space) or \6DigitHexOfC .
Generally, all characters can be escaped safely, and CSS will still work as expected. The following works:
div { background: \23 f66; }
<div>Test</div>
However, I still want the CSS properties as clean as possible because I want, for example, to be able to view URLs and rules using an inspector.
There are characters that are clearly bad. {};\* must be escaped because they can be used to exit the current rule. I manage a whitelist (everything escapes, except for allowed) characters (unlike the blacklist, where everything is allowed, except that it is not). I have white characters that I currently have
'#', ',', '.', '(', ')', '-', '%', '+', '=', '/', ' ', ':', '\'', '"', '\n', '\r'
Are there dangerous characters here? Anything you can use to break out of the rule and influence the rest of the CSS block. Are there any characters who are not here who might get an unnecessary escape? (Alphanumeric characters are not escaped by default).