\XF\Util\Color::isValidColor() produces a positive match for RGB values without commas, can break CSS

apathy

Well-known member
Affected version
2.2.12
The regex used in this function is capable of producing a positive match when an RGB value without commas is entered - regex101 example

This can cause problems when creating Reactions for instance, if a comma-less RGB value is specified for the reaction text color, the CSS can break like in the attached screenshot.

Usually this wouldn't be a huge problem since I imagine most admins are using the color picker (which correctly produces commas), however some of my addons and I imagine many others have color fields in public controllers and use isValidColor() to verify them, so if a user who's not too familiar with RGB syntax entered a value with no commas the whole sites CSS can break.
 

Attachments

  • broken_color_validator_css.webp
    broken_color_validator_css.webp
    46.7 KB · Views: 18
Top Bottom