We have a requirement to allow users to customise the CSS for a PHP app. In general, only that user will be able to view the custom CSS, but there are cases when other users in their group could also view the CSS, hence the need to ensure that its sanitized.
I am aware that HTMLPurifier and CSSTidy can be used for PHP, but CSSTidy is extremely outdated, and apparently can't handle everything that we need to throw at it.
I havent found any other PHP libs that can do this.
One alternative that I am exploring is taking a ruby library (http://apidock.com/rails/HTML/WhiteListSanitizer/sanitize_css or https://github.com/courtenay/css_file_sanitize/blob/master/lib/css_sanitize.rb) and converting it into php.
Before I go down that route, are there any alternatives to the above? And are there any pitfalls that I should be aware of before using one of the Ruby libs?
HTMLPurifier and CSSTidy are right tools. CSSTidy still maintaining by Cedric Morin and few other developers on Github. Also default CSS level of CSSTidy is CSS3.0 since April 2012.
You may use that.
what do you need to sanitize? css is pretty straight forward, if you don't need to make sure all is valid strict css you can just check that if matches a pattern of selectors brackets items colons and values, no?