184542 2018-04-12 09:03:14 -0700 CSS variables (custom properties) bug & a potential crash 2025-09-06 06:37:38 -0700 1 1 1 Unclassified WebKit CSS Safari 11 Unspecified Unspecified RESOLVED CONFIGURATION CHANGED InRadar P2 Major --- 190039 1 kizmarh webkit-unassigned ahmad.saleem792 ap bfulgham emilio jonlee justin_michaud koivisto rniwa simon.fraser twilco.o webkit-bug-importer zalan oldest_to_newest 1414031 0 337803 kizmarh 2018-04-12 09:03:14 -0700 Created attachment 337803 Crash page Steps to reproduce: Go to https://codepen.io/kizu/pen/MVRRMq (I have managed to reproduce both the bug and the crash both on desktop and mobile safari) In every other browser (including Chrome) the header should have a lime background, but in Safari it gets the pink one. Its also possible to cause this page to crash when creating circularity (uncomment the commented line in the above example, or go to https://codepen.io/kizu/pen/OvGYXx, or open an attached page), which is probably related to the above bug as every other browser handle this without crashing (and properly displaying pink background as --foo becomes invalid). Due to crash being caused by really short CSS string which is possible to pass just as a style attribute to an HTML element, I think it could be really dangerous. 1414038 1 kizmarh 2018-04-12 09:12:12 -0700 Found the minimal CSS that causes the crash: *{--:var(---,var(--))} 1414051 2 ap 2018-04-12 09:52:58 -0700 Looks like infinite recursion. Not sure if the crash and the bug are closely enough related to track in one issue. 1414052 3 webkit-bug-importer 2018-04-12 09:53:21 -0700 <rdar://problem/39384155> 1414058 4 kizmarh 2018-04-12 10:12:50 -0700 Yes, not sure if they related, but seem to be in both cases related to the variable's fallback, but feel free to split into a new one anyway. 1466048 5 kizmarh 2018-10-03 07:14:23 -0700 Any news about this? I find that having a case where 22-characters if CSS cause a crash to be rather dangerous, as it could be possible to use it as an attack, by inserting it somewhere where you have an access to CSS/HTML, and via it basically disabling the browsing experience for anyone using Safari. Also, a question: is it something that would be safe to write about in social networks, so people would know that this is possible and could potentially protect themselves by stripping CSS variables from any user-generated fields, and also as an interesting anecdote about the circularity in CSS? 1694498 6 twilco.o 2020-10-03 22:07:04 -0700 I can't reproduce this in Safari Version 14.0 (15610.1.28.1.9, 15610). I get a lime green background, and no crash from the Codepen nor the minimal CSS you've provided. Can you confirm whether or not this is still an issue? 1892744 7 ahmad.saleem792 2022-08-20 17:35:18 -0700 I am not able to reproduce any crash with test case in Safari 15.6.1 and Safari Technology Preview 151 but I don't get "Lime" background but light reddish / pinkish background and it is same as other browsers (Chrome Canary 106 and Firefox Nightly 105). Please mark this bug accordingly. Thanks! 2141356 8 ahmad.saleem792 2025-09-05 16:19:38 -0700 @Roman - is this reproducing for you? 2141432 9 kizmarh 2025-09-06 01:56:32 -0700 Seems to be working now! 337803 2018-04-12 09:03:14 -0700 2018-04-12 09:03:14 -0700 Crash page safari-crash.html text/html 395 kizmarh PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIiA+Cgo8aGVhZD4KCiAgPG1ldGEgY2hhcnNl dD0iVVRGLTgiPgogIDx0aXRsZT5Db2RlUGVuIC0gU2FmYXJpIHZhcmlhYmxlcyBidWc6IGNyYXNo PC90aXRsZT4KICAgICAgPHN0eWxlPgogICAgICBoMiB7CiAgYmFja2dyb3VuZDogdmFyKC0tZm9v LCBwaW5rKTsKICAtLWZvbzogdmFyKC0tYmFyLCBsaW1lKTsKICAtLWJhcjogdmFyKC0tYmF6LCB2 YXIoLS1mb28pKTsKfQogICAgPC9zdHlsZT4KPC9oZWFkPgoKPGJvZHkgdHJhbnNsYXRlPSJubyIg PgoKICA8aDI+VGhpcyB0ZXh0IHNob3VsZCBoYXZlIGxpbWUgYmFja2dyb3VuZDwvaDI+CjxwPklu IFNhZmFyaSB0aGVyZSBpcyBhIGNyYXNoLjwvcD4KCgoKCgoKPC9ib2R5PgoKPC9odG1sPgo=