Validate named values in candidate parser

thecrypticace · thecrypticace · commit 1f6d61f2687d · 2025-12-01T11:12:48.000-05:00
Candidates that don’t pass this test already won’t get picked up by Oxide so shouldn’t be any worry of compatibility issues
diff --git a/packages/tailwindcss/src/candidate.ts b/packages/tailwindcss/src/candidate.ts
@@ -10,6 +10,7 @@ const COLON = 0x3a
 const DASH = 0x2d
 const LOWER_A = 0x61
 const LOWER_Z = 0x7a
+const IS_VALID_NAMED_VALUE = /^[a-zA-Z0-9_.%-]+$/
 
 export type ArbitraryUtilityValue = {
   kind: 'arbitrary'
@@ -596,6 +597,8 @@ export function* parseCandidate(input: string, designSystem: DesignSystem): Iter
             ? null
             : `${value}/${modifierSegment}`
 
+        if (!IS_VALID_NAMED_VALUE.test(value)) continue
+
         candidate.value = {
           kind: 'named',
           value,
@@ -647,6 +650,8 @@ function parseModifier(modifier: string): CandidateModifier | null {
     }
   }
 
+  if (!IS_VALID_NAMED_VALUE.test(modifier)) return null
+
   return {
     kind: 'named',
     value: modifier,
@@ -798,6 +803,8 @@ export function parseVariant(variant: string, designSystem: DesignSystem): Varia
             }
           }
 
+          if (!IS_VALID_NAMED_VALUE.test(value)) continue
+
           return {
             kind: 'functional',
             root,
