diff -u b/core/modules/breakpoint/lib/Drupal/breakpoint/Breakpoint.php b/core/modules/breakpoint/lib/Drupal/breakpoint/Breakpoint.php --- b/core/modules/breakpoint/lib/Drupal/breakpoint/Breakpoint.php +++ b/core/modules/breakpoint/lib/Drupal/breakpoint/Breakpoint.php @@ -233,15 +233,19 @@ elseif (isset($matches[3]) && !isset($matches[4])) { $value = trim($matches[3]); if (!array_key_exists($matches[1], $media_features)) { - throw new InvalidBreakpointMediaQueryException('Invalid media feature detected.'); + // We need to allow vendor prefixed media fetures and make sure we + // are future proof, so only check allowed characters. + if (!preg_match('/^[a-zA-Z0-9\:\-\\ ]+$/i', trim($matches[1]))) { + throw new InvalidBreakpointMediaQueryException('Invalid media query detected.'); + } } - if (is_array($media_features[$matches[1]])) { + elseif (is_array($media_features[$matches[1]])) { // Check if value is allowed. if (!array_key_exists($value, $media_features[$matches[1]])) { throw new InvalidBreakpointMediaQueryException('Value is not allowed.'); } } - else { + elseif (isset ($media_features[$matches[1]])) { switch ($media_features[$matches[1]]) { case 'length': $length_matches = array(); @@ -271,9 +275,17 @@ } $media_type_found = TRUE; } - else { + // Check illegal [ONLY | NOT]? S* media_type + elseif (preg_match('/^((?:only|not)\s?)\(([\w\-]+)\)$/i', trim($query_part), $matches)) { throw new InvalidBreakpointMediaQueryException('Invalid media query detected.'); } + else { + // We need to allow vendor prefixed media fetures and make sure we + // are future proof, so only check allowed characters. + if (!preg_match('/^[a-zA-Z0-9\-\\ ]+$/i', trim($query_part), $matches)) { + throw new InvalidBreakpointMediaQueryException('Invalid media query detected.'); + } + } } } return TRUE; diff -u b/core/modules/breakpoint/lib/Drupal/breakpoint/Tests/BreakpointMediaQueryTest.php b/core/modules/breakpoint/lib/Drupal/breakpoint/Tests/BreakpointMediaQueryTest.php --- b/core/modules/breakpoint/lib/Drupal/breakpoint/Tests/BreakpointMediaQueryTest.php +++ b/core/modules/breakpoint/lib/Drupal/breakpoint/Tests/BreakpointMediaQueryTest.php @@ -58,6 +58,10 @@ 'screen and /* this is a comment */ (min-width)', "screen\nand /* this is a comment */ (min-width)", "screen\n\nand /* this is\n a comment */ (min-width)", + // Unrecognized features are allowed. + 'screen and (-webkit-min-device-pixel-ratio: 7)', + 'screen and (min-orientation: landscape)', + 'screen and (max-orientation: landscape)', ); foreach ($media_queries as $media_query) { @@ -104,10 +108,9 @@ 'screen and (device-height: -0.8px)', 'screen and (min-orientation)', 'screen and (max-orientation)', - 'screen and (min-orientation: landscape)', - 'screen and (max-orientation: landscape)', 'screen and (orientation: bogus)', '(orientation: bogus)', + 'screen and (ori"entation: bogus)', ); foreach ($media_queries as $media_query) {