Fix #4678: Validate custom CSS.

* Make it an error to add invalid custom CSS to your account.
* Add a fix script to remove custom CSS from all accounts with invalid CSS.

Gemfile

@@ -55,6 +55,7 @@ gem "pry-rails"
 gem "ffi"
 gem "rbtrace"
 gem "good_job"
+gem "crass"
 
 group :development do
   gem 'rubocop', require: false

Gemfile.lock

@@ -553,6 +553,7 @@ DEPENDENCIES
   capybara
   clockwork
   codecov
+  crass
   daemons
   derailed_benchmarks
   diff-lcs

app/controllers/users_controller.rb

@@ -113,7 +113,7 @@ class UsersController < ApplicationController
   end
 
   def custom_style
-    @css = CurrentUser.user.custom_style
+    @custom_css = CurrentUser.user.custom_css
     expires_in 10.years
   end
 

app/logical/custom_css.rb

@@ -0,0 +1,15 @@
+class CustomCss
+  attr_reader :css
+
+  def initialize(css)
+    @css = css
+  end
+
+  def valid?
+    css.blank? || parsed_css.none? { |node| node[:node] == :error }
+  end
+
+  def parsed_css
+    @parsed_css ||= Crass.parse(css, preserve_comments: true)
+  end
+end

app/models/user.rb

@@ -106,6 +106,7 @@ class User < ApplicationRecord
   validates :password, confirmation: true
   validates :comment_threshold, inclusion: { in: (-100..5) }
   validate  :validate_enable_private_favorites, on: :update
+  validate  :validate_custom_css, if: :custom_style_changed?
   before_validation :normalize_blacklisted_tags
   before_create :promote_to_owner_if_first_user
   has_many :artist_versions, foreign_key: :updater_id
@@ -601,6 +602,18 @@ class User < ApplicationRecord
     end
   end
 
+  concerning :CustomCssMethods do
+    def custom_css
+      CustomCss.new(custom_style)
+    end
+
+    def validate_custom_css
+      if !custom_css.valid?
+        errors.add(:base, "Custom CSS contains a syntax error. Validate it with https://codebeautify.org/cssvalidate")
+      end
+    end
+  end
+
   module SearchMethods
     def search(params)
       params = params.dup

app/views/users/custom_style.css.erb

@@ -1 +1,3 @@
-<%= raw @css %>
+<% if @custom_css.valid? %>
+  <%= raw @custom_css.css %>
+<% end %>

script/fixes/091_delete_invalid_custom_css.rb

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+
+require_relative "base"
+
+with_confirmation do
+  users = User.where("custom_style != ''").select { |user| !user.custom_css.valid? }
+
+  users.each do |user|
+    Dmail.create_automated(to: user, title: "Action required: Your custom CSS is invalid", body: <<~EOS)
+      Hi,
+
+      The custom CSS in your account settings is invalid and has been removed from your account. To restore it, go to https://codebeautify.org/cssvalidate, copy and paste the CSS below, and fix any errors that are shown. Then, go to your account settings at https://danbooru.donmai.us/settings, click the Advanced tab, and re-add your custom CSS.
+
+      [code]
+      #{user.custom_style}
+      [/code]
+    EOS
+
+    user.update!(custom_style: "")
+  end
+end

test/unit/user_test.rb

@@ -268,5 +268,20 @@ class UserTest < ActiveSupport::TestCase
         assert_equal([user3.id], User.search(name: "bar\\\*baz").map(&:id))
       end
     end
+
+    context "custom CSS" do
+      should "raise a validation error on invalid custom CSS" do
+        user = build(:user, custom_style: "}}}")
+
+        assert_equal(true, user.invalid?)
+        assert_match(/Custom CSS contains a syntax error/, user.errors[:base].first)
+      end
+
+      should "allow blank CSS" do
+        user = build(:user, custom_style: " ")
+
+        assert_equal(true, user.valid?)
+      end
+    end
   end
 end