\XF\Util\Color::isValidColor() produces a positive match for RGB values without commas, can break CSS


Well-known member
Affected version
The regex used in this function is capable of producing a positive match when an RGB value without commas is entered - regex101 example

This can cause problems when creating Reactions for instance, if a comma-less RGB value is specified for the reaction text color, the CSS can break like in the attached screenshot.

Usually this wouldn't be a huge problem since I imagine most admins are using the color picker (which correctly produces commas), however some of my addons and I imagine many others have color fields in public controllers and use isValidColor() to verify them, so if a user who's not too familiar with RGB syntax entered a value with no commas the whole sites CSS can break.


  • broken_color_validator_css.png
    153.5 KB · Views: 17
Top Bottom