Validate named values in candidate parser (#19397)

thecrypticace · web-flow · commit a5f4644507d9 · 2025-12-03T15:06:25.000-05:00
Fixes tailwindlabs/tailwindcss-intellisense#1506
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improve backwards compatibility for `content` theme key from JS configs ([#19381](https://github.com/tailwindlabs/tailwindcss/pull/19381))
 - Upgrade: Handle `future` and `experimental` config keys ([#19344](https://github.com/tailwindlabs/tailwindcss/pull/19344))
 - Try to canonicalize any arbitrary utility to a bare value ([#19379](https://github.com/tailwindlabs/tailwindcss/pull/19379))
+- Validate candidates similarly to Oxide ([#19397](https://github.com/tailwindlabs/tailwindcss/pull/19397))
 - Canonicalization: combine `text-*` and `leading-*` classes ([#19396](https://github.com/tailwindlabs/tailwindcss/pull/19396))
 
 ### Added
diff --git a/packages/tailwindcss/src/candidate.test.ts b/packages/tailwindcss/src/candidate.test.ts
@@ -1997,7 +1997,12 @@ it.each([
 
   // Arbitrary variant values that end the block
   'data-[a]{color:red}foo[a]:flex',
-])('should not parse invalid arbitrary values: %s', (rawCandidate) => {
+
+  // Named values contain invalid characters
+  'data-foo=bar:flex',
+  'bg-foo=bar',
+  'bg-red-500/foo=bar',
+])('should not parse invalid values: %s', (rawCandidate) => {
   let utilities = new Utilities()
   utilities.static('flex', () => [])
   utilities.functional('bg', () => [])
diff --git a/packages/tailwindcss/src/candidate.ts b/packages/tailwindcss/src/candidate.ts
@@ -10,6 +10,7 @@ const COLON = 0x3a
 const DASH = 0x2d
 const LOWER_A = 0x61
 const LOWER_Z = 0x7a
+const IS_VALID_NAMED_VALUE = /^[a-zA-Z0-9_.%-]+$/
 
 export type ArbitraryUtilityValue = {
   kind: 'arbitrary'
@@ -596,6 +597,8 @@ export function* parseCandidate(input: string, designSystem: DesignSystem): Iter
             ? null
             : `${value}/${modifierSegment}`
 
+        if (!IS_VALID_NAMED_VALUE.test(value)) continue
+
         candidate.value = {
           kind: 'named',
           value,
@@ -647,6 +650,8 @@ function parseModifier(modifier: string): CandidateModifier | null {
     }
   }
 
+  if (!IS_VALID_NAMED_VALUE.test(modifier)) return null
+
   return {
     kind: 'named',
     value: modifier,
@@ -798,6 +803,8 @@ export function parseVariant(variant: string, designSystem: DesignSystem): Varia
             }
           }
 
+          if (!IS_VALID_NAMED_VALUE.test(value)) continue
+
           return {
             kind: 'functional',
             root,
