Fix #4678: Validate custom CSS.

* Make it an error to add invalid custom CSS to your account.
* Add a fix script to remove custom CSS from all accounts with invalid CSS.

app/controllers/users_controller.rb

@@ -113,7 +113,7 @@ class UsersController < ApplicationController
   end
 
   def custom_style
-    @css = CurrentUser.user.custom_style
+    @custom_css = CurrentUser.user.custom_css
     expires_in 10.years
   end
 

app/logical/custom_css.rb

@@ -0,0 +1,15 @@
+class CustomCss
+  attr_reader :css
+
+  def initialize(css)
+    @css = css
+  end
+
+  def valid?
+    css.blank? || parsed_css.none? { |node| node[:node] == :error }
+  end
+
+  def parsed_css
+    @parsed_css ||= Crass.parse(css, preserve_comments: true)
+  end
+end

app/models/user.rb

@@ -106,6 +106,7 @@ class User < ApplicationRecord
   validates :password, confirmation: true
   validates :comment_threshold, inclusion: { in: (-100..5) }
   validate  :validate_enable_private_favorites, on: :update
+  validate  :validate_custom_css, if: :custom_style_changed?
   before_validation :normalize_blacklisted_tags
   before_create :promote_to_owner_if_first_user
   has_many :artist_versions, foreign_key: :updater_id
@@ -601,6 +602,18 @@ class User < ApplicationRecord
     end
   end
 
+  concerning :CustomCssMethods do
+    def custom_css
+      CustomCss.new(custom_style)
+    end
+
+    def validate_custom_css
+      if !custom_css.valid?
+        errors.add(:base, "Custom CSS contains a syntax error. Validate it with https://codebeautify.org/cssvalidate")
+      end
+    end
+  end
+
   module SearchMethods
     def search(params)
       params = params.dup

app/views/users/custom_style.css.erb

@@ -1 +1,3 @@
-<%= raw @css %>
+<% if @custom_css.valid? %>
+  <%= raw @custom_css.css %>
+<% end %>