When I test the following code the CSS is escaped, but seems to be ignored by any browser I tested with on my Macbook Air M1 (Chrome, Safari, Firefox, Edge).
The example in the documentation is wrong because the escaping should not be applied to the whole CSS, only to fragments that are inserted into the CSS, like URLs – if it comes from non-trusted sources.
Compare:
<?php
$url = 'https://getlaminas.org/images/pictures/home-page.jpg</style><script>alert(1)</script>';
?>
<!doctype html>
<meta charset="utf-8">
<title>Escaped CSS</title>
<style>
body {
background-image: url('<?= $url ?>');
}
</style>
<p>User controlled CSS needs to be properly escaped!</p>
<?php
require_once __DIR__ . '/vendor/autoload.php';
$url = 'https://getlaminas.org/images/pictures/home-page.jpg</style><script>alert(1)</script>';
?>
<!doctype html>
<meta charset="utf-8">
<title>Escaped CSS</title>
<style>
body {
background-image: url('<?= (new Laminas\Escaper\Escaper())->escapeCss($url) ?>');
}
</style>
<p>User controlled CSS needs to be properly escaped!</p>
<?php
require_once __DIR__ . '/vendor/autoload.php';
$url = 'https://getlaminas.org/images/pictures/home-page.jpg';
?>
<!doctype html>
<meta charset="utf-8">
<title>Escaped CSS</title>
<style>
body {
background-image: url('<?= (new Laminas\Escaper\Escaper())->escapeCss($url) ?>');
}
</style>
<p>User controlled CSS needs to be properly escaped!</p>
The goal is to prevent XSS, which in this example means that the JavaScript is not executed. This does not mean that the background image is also set correctly.