On normalization failure, stringify entire input as CSS

sirreal · sirreal · commit c2da39f2d856 · 2026-04-01T10:20:22.000+02:00
diff --git a/src/wp-includes/fonts/class-wp-font-utils.php b/src/wp-includes/fonts/class-wp-font-utils.php
@@ -43,29 +43,32 @@ private static function maybe_add_quotes( $item ) {
 	/**
 	 * Normalize @font-face font-family CSS text.
 	 *
-	 * This function attempts to be generous in the allowed values:
+	 * The return value is always normalized to a quoted CSS string.
+	 *
 	 * - Valid @font-face font-family values must return a semantically equivalent result.
 	 * - Normalization must be idempotent.
-	 * - Common mistakes such as providing multiple comma-separated font-family values return a
-	 *   normalization of the first item: `a, b` becomes `"a"`.
-	 * - Invalid trailing content is ignored:  `"string" garbage` becomes `"string"`.
+	 * - If a CSS string is the first value, it will be used discarding subsequent text.
+	 * - The first valid value in a CSS comma-separated list will be used discarding subsequent text.
+	 * - If the value does not appear to be valid CSS or start with a valid CSS
+	 *   @font-face font-family, treat the entire input as a plain string for normalization.
+	 *
+	 * Relevant notes from the CSS specification:
 	 *
 	 * > Syntax of <family-name>
 	 * >     <family-name> = <string> | <custom-ident>+
-	 *
+	 * > …
 	 * > To avoid mistakes in escaping, it is recommended to quote font family names that contain
 	 * > white space, digits, or punctuation characters other than hyphens
 	 *
 	 * @see https://drafts.csswg.org/css-fonts/#family-name-syntax
 	 *
 	 * @param string $font_family CSS text @font-face font-family value.
-	 * @return string|null Normalized value or null if the value could not be normalized.
+	 * @return string Normalized value or null if the value could not be normalized.
 	 */
-	public static function normalize_css_font_face_font_family( string $font_family ): ?string {
-		$processor = WP_CSS_Token_Processor::create( $font_family );
-		if ( null === $processor ) {
-			return null;
-		}
+	public static function normalize_css_font_face_font_family( string $font_family ): string {
+		$font_family = wp_scrub_utf8( $font_family );
+		$processor   = WP_CSS_Token_Processor::create( $font_family );
+		assert( null !== $processor, 'A valid processor must be created' );
 
 		// Ignore leading whitespace tokens.
 		while ( $processor->next_token() && WP_CSS_Token_Processor::TOKEN_WHITESPACE === $processor->get_token_type() ) {
@@ -82,7 +85,7 @@ public static function normalize_css_font_face_font_family( string $font_family
 		 * font-family invalid.
 		 */
 		if ( WP_CSS_Token_Processor::TOKEN_IDENT !== $token_type ) {
-			return null;
+			return WP_CSS_Builder::string( $font_family );
 		}
 
 		/**
@@ -111,7 +114,7 @@ public static function normalize_css_font_face_font_family( string $font_family
 
 				// Anything else is an error.
 				default:
-					return null;
+					return WP_CSS_Builder::string( $font_family );
 			}
 		}
 
diff --git a/tests/phpunit/tests/fonts/font-library/wpFontUtils/normalizeCssFontFaceFontFamily.php b/tests/phpunit/tests/fonts/font-library/wpFontUtils/normalizeCssFontFaceFontFamily.php
@@ -30,15 +30,20 @@ public function test_normalize_css_font_face_font_family( string $input, ?string
 	 * Data provider.
 	 */
 	public static function data_provider(): Generator {
+		// Valid CSS font-family
 		yield 'Already normalized' => array( '"Font"', '"Font"' );
 		yield 'Unquoted' => array( 'Font', '"Font"' );
 		yield 'Multiple idents' => array( 'Font Name', '"Font Name"' );
-		yield 'Number' => array( 'Libre Barcode 128 Text', null );
-		yield 'PX unit number' => array( '10px rest', null );
-		yield '% unit number' => array( '10px rest', null );
-		yield 'Weird unit number' => array( '20xYz rest', null );
-		yield 'Negative number' => array( '-30deg rest', null );
-		yield 'Positive number' => array( '+40rad rest', null );
-		yield 'Multiple ident spaces normalized' => array( "A\nB\rC\r\nD\tE\fF", '"A B C D E F"' );
+		yield 'Idents and whitespace normalized' => array( "A\nB\rC\r\nD\tE\fF", '"A B C D E F"' );
+
+		// Invalid CSS font-family is treated as a plain string.
+		yield 'Input with stray single quote' => array( "O'er the rainbow", '"O\27 er the rainbow"' );
+		yield 'Input with stray double quote' => array( 'Oop"sie', '"Oop\22 sie"' );
+		yield 'Number' => array( 'Libre Barcode 128 Text', '"Libre Barcode 128 Text"' );
+		yield 'PX unit number' => array( '10px rest', '"10px rest"' );
+		yield '% unit number' => array( '10px rest', '"10px rest"' );
+		yield 'Weird unit number' => array( '20xYz rest', '"20xYz rest"' );
+		yield 'Negative number' => array( '-30deg rest', '"-30deg rest"' );
+		yield 'Positive number' => array( '+40rad rest', '"+40rad rest"' );
 	}
 }
