wikimedia
diff --git a/‎HISTORY.md‎
Lines changed: 7 additions & 3 deletions b/‎HISTORY.md‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 3 deletions b/‎README.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎src/Grammar/MatcherFactory.php‎
Lines changed: 40 additions & 0 deletions b/‎src/Grammar/MatcherFactory.php‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎src/Sanitizer/CounterStyleAtRuleSanitizer.php‎
Lines changed: 129 additions & 0 deletions b/‎src/Sanitizer/CounterStyleAtRuleSanitizer.php‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎src/Sanitizer/StylePropertySanitizer.php‎
Lines changed: 52 additions & 23 deletions b/‎src/Sanitizer/StylePropertySanitizer.php‎
Lines changed: 52 additions & 23 deletions
@@ -2,14 +2,18 @@
 
 ## css-sanitizer x.x.x (not yet released)
 * Add support for CSS Box Sizing Level 4 (as seen in draft from 2025-02-24)
-	- values: stretch, fit-content, and contain;
-	- properties: aspect-ratio, contain-intrinsic-* (size, width, height, block-size, inline-size), min-intrinsic-size;
+  - values: stretch, fit-content, and contain;
+  - properties: aspect-ratio, contain-intrinsic-* (size, width, height,
+    block-size, inline-size), min-intrinsic-size;
 * Update Color to Level 4 (2025-04-24)
 * Update Values and Units to Level 4 (WD 2024-03-12)
 * Update Display Level 3 to CR 2023-03-30
 * Add support for Ruby Level 1 (WD 2022-12-31)
 * Add support for Transforms Level 2 (WD 2021-11-09)
-* Update Overflow Level 3 to WD 2023-03-29 and add support for Overflow Level 4 (WD 2023-03-21)
+* Update Overflow Level 3 to WD 2023-03-29 and add support for Overflow Level 4
+  (WD 2023-03-21)
+* Add support for Lists and Counters Level 3 (WD 2020-11-17) and Counter Styles
+  Level 3 (WD 2021-07-27)
 
 ## css-sanitizer 5.5.0 (2025-01-27)
 * Ensure <-token and identifiers are always separated as a security
 
@@ -68,19 +68,24 @@ The sanitizer recognizes the following CSS modules:
 * [Cascade Level 4, 2018-08-28](https://www.w3.org/TR/2018/CR-css-cascade-4-20180828)
 * [Color Level 4, 2025-04-24](https://www.w3.org/TR/2025/CRD-css-color-4-20250424)
 * [Compositing Level 1, 2015-01-13](https://www.w3.org/TR/2015/CR-compositing-1-20150113/)
+* [Counter Styles Level 3, 2021-07-27](https://www.w3.org/TR/2021/CR-css-counter-styles-3-20210727/)
 * [CSS Level 2, 2011-06-07](https://www.w3.org/TR/2011/REC-CSS2-20110607/)
 * [Display Level 3, 2023-03-30](https://www.w3.org/TR/2023/CR-css-display-3-20230330/)
 * [Filter Effects Level 1, 2018-12-18](https://www.w3.org/TR/2018/WD-filter-effects-1-20181218)
 * [Flexbox Level 1, 2018-11-19](https://www.w3.org/TR/2018/CR-css-flexbox-1-20181119)
 * [Fonts Level 3, 2018-09-20](https://www.w3.org/TR/2018/REC-css-fonts-3-20180920)
 * [Grid Level 1, 2017-12-14](https://www.w3.org/TR/2017/CR-css-grid-1-20171214/)
 * [Images Level 3, 2019-10-10](https://www.w3.org/TR/2019/CR-css-images-3-20191010)
+* [Lists and Counters Level 3, 2020-11-17](https://www.w3.org/TR/2020/WD-css-lists-3-20201117/)
+* [Logical Properties and Values Level 1, 2018-08-27](https://www.w3.org/TR/2018/WD-css-logical-1-20180827/)
 * [Masking Level 1, 2014-08-26](https://www.w3.org/TR/2014/CR-css-masking-1-20140826/)
 * [Multicol Level 1, 2019-10-15](https://www.w3.org/TR/2019/WD-css-multicol-1-20191015)
 * [Overflow Level 3, 2023-03-29](https://www.w3.org/TR/2023/WD-css-overflow-3-20230329/)
 * [Overflow Level 4, 2023-03-21](https://www.w3.org/TR/2023/WD-css-overflow-4-20230321/)
 * [Page Level 3, 2018-10-18](https://www.w3.org/TR/2018/WD-css-page-3-20181018)
 * [Position Level 3, 2016-05-17](https://www.w3.org/TR/2016/WD-css-position-3-20160517/)
+* [Ruby Level 1, 2022-12-31](https://www.w3.org/TR/2022/WD-css-ruby-1-20221231/)
+* [Selectors Level 4, 2019-02-25](https://www.w3.org/TR/2019/WD-css-pseudo-4-20190225/)
 * [Shapes Level 1, 2014-03-20](https://www.w3.org/TR/2014/CR-css-shapes-1-20140320/)
 * [Sizing Level 3, 2021-12-17](https://www.w3.org/TR/2021/WD-css-sizing-3-20211217/)
 * [Sizing Level 4, 2025-02-24](https://drafts.csswg.org/css-sizing-4/)
@@ -93,9 +98,6 @@ The sanitizer recognizes the following CSS modules:
 * [UI 3 Level 3, 2018-06-21](https://www.w3.org/TR/2018/REC-css-ui-3-20180621)
 * [UI 4 Level 4, 2020-01-02](https://www.w3.org/TR/2020/WD-css-ui-4-20200102)
 * [Writing Modes Level 4, 2019-07-30](https://www.w3.org/TR/2019/CR-css-writing-modes-4-20190730)
-* [Selectors Level 4, 2019-02-25](https://www.w3.org/TR/2019/WD-css-pseudo-4-20190225/)
-* [Logical Properties and Values Level 1, 2018-08-27](https://www.w3.org/TR/2018/WD-css-logical-1-20180827/)
-* [Ruby Level 1, 2022-12-31](https://www.w3.org/TR/2022/WD-css-ruby-1-20221231/)
 
 And also,
 * The `touch-action` property from
 
@@ -1154,6 +1154,46 @@ public function cssSingleEasingFunction() {
 			] );
 	}
 
+	/**
+	 * Matcher for <counter-style>
+	 * @see https://www.w3.org/TR/2021/CR-css-counter-styles-3-20210727/#typedef-counter-style
+	 * @return Matcher
+	 */
+	public function counterStyle() {
+		return $this->cache[__METHOD__] ??= new Alternative( [
+			$this->customIdent( [ 'none' ] ),
+			new FunctionMatcher(
+				'symbols',
+				// "If the system is alphabetic or numeric, there must be at least two
+				// <string>s or <image>s, or else the function is invalid."
+				// Implement that by modifying the grammar
+				new Alternative( [
+					new Juxtaposition( [
+						new KeywordMatcher( [ 'numeric', 'alphabetic' ] ),
+						Quantifier::count(
+							new Alternative( [
+								$this->string(),
+								$this->image()
+							] ),
+							2, INF
+						)
+					] ),
+					new Juxtaposition( [
+						Quantifier::optional( new KeywordMatcher( [
+							'cyclic', 'symbolic', 'fixed'
+						] ) ),
+						Quantifier::plus(
+							new Alternative( [
+								$this->string(),
+								$this->image()
+							] )
+						)
+					] )
+				] )
+			)
+		] );
+	}
+
 	/***************************************************************************/
 	// region   CSS Selectors Level 3
 	/**
 
@@ -0,0 +1,129 @@
+<?php
+
+namespace Wikimedia\CSS\Sanitizer;
+
+use Wikimedia\CSS\Grammar\Alternative;
+use Wikimedia\CSS\Grammar\Juxtaposition;
+use Wikimedia\CSS\Grammar\KeywordMatcher;
+use Wikimedia\CSS\Grammar\Matcher;
+use Wikimedia\CSS\Grammar\MatcherFactory;
+use Wikimedia\CSS\Grammar\Quantifier;
+use Wikimedia\CSS\Grammar\UnorderedGroup;
+use Wikimedia\CSS\Objects\AtRule;
+use Wikimedia\CSS\Objects\CSSObject;
+use Wikimedia\CSS\Objects\Rule;
+use Wikimedia\CSS\Util;
+
+/**
+ * Sanitizes a \@counter-style rule
+ * @see https://www.w3.org/TR/2021/CR-css-counter-styles-3-20210727/
+ */
+class CounterStyleAtRuleSanitizer extends RuleSanitizer {
+	/** @var Matcher */
+	protected $nameMatcher;
+
+	/** @var Sanitizer */
+	protected $propertySanitizer;
+
+	public function __construct( MatcherFactory $matcherFactory, array $options = [] ) {
+		$this->nameMatcher = $matcherFactory->customIdent( [ 'none' ] );
+
+		// Do not include <image> per at-risk note
+		$symbol = new Alternative( [
+			$matcherFactory->string(),
+			$matcherFactory->customIdent()
+		] );
+
+		$integer = $matcherFactory->integer();
+		$counterStyleName = $matcherFactory->customIdent( [ 'none' ] );
+
+		$this->propertySanitizer = new PropertySanitizer( [
+			'additive-symbols' => Quantifier::hash(
+				UnorderedGroup::allOf( [
+					$integer,
+					$symbol,
+				] )
+			),
+			'fallback' => $counterStyleName,
+			'negative' => new Juxtaposition( [
+				$symbol,
+				Quantifier::optional( $symbol )
+			] ),
+			'pad' => UnorderedGroup::allOf( [
+				$integer,
+				$symbol
+			] ),
+			'prefix' => $symbol,
+			'range' => new Alternative( [
+				Quantifier::hash(
+					Quantifier::count(
+						new Alternative( [
+							$integer,
+							new KeywordMatcher( 'infinite' )
+						] ),
+						2, 2
+					)
+				),
+				new KeywordMatcher( 'auto' )
+			] ),
+			'speak-as' => new Alternative( [
+				new KeywordMatcher( [
+					'auto', 'bullets', 'numbers', 'words', 'spell-out'
+				] ),
+				$counterStyleName
+			] ),
+			'suffix' => $symbol,
+			'symbols' => Quantifier::plus( $symbol ),
+			'system' => new Alternative( [
+				new KeywordMatcher( [
+					'cyclic', 'numeric', 'alphabetic', 'symbolic', 'additive'
+				] ),
+				new Juxtaposition( [
+					new KeywordMatcher( 'fixed' ),
+					Quantifier::optional( $integer )
+				] ),
+				new Juxtaposition( [
+					new KeywordMatcher( 'extends' ),
+					$counterStyleName
+				] )
+			] )
+		] );
+	}
+
+	/** @inheritDoc */
+	public function handlesRule( Rule $rule ) {
+		return $rule instanceof AtRule && !strcasecmp( $rule->getName(), 'counter-style' );
+	}
+
+	/** @inheritDoc */
+	protected function doSanitize( CSSObject $object ) {
+		if ( !$object instanceof AtRule || !$this->handlesRule( $object ) ) {
+			$this->sanitizationError( 'expected-at-rule', $object, [ 'counter-style' ] );
+			return null;
+		}
+
+		if ( $object->getBlock() === null ) {
+			$this->sanitizationError( 'at-rule-block-required', $object, [ 'counter-style' ] );
+			return null;
+		}
+
+		// Test the name
+		if ( !$this->nameMatcher->matchAgainst(
+			$object->getPrelude(), [ 'mark-significance' => true ]
+		) ) {
+			$cv = Util::findFirstNonWhitespace( $object->getPrelude() );
+			if ( $cv ) {
+				$this->sanitizationError( 'invalid-counter-style-name', $cv );
+			} else {
+				$this->sanitizationError( 'missing-counter-style-name', $object );
+			}
+			return null;
+		}
+
+		// Test the declaration list
+		$ret = clone $object;
+		$this->fixPreludeWhitespace( $ret, false );
+		$this->sanitizeDeclarationBlock( $ret->getBlock(), $this->propertySanitizer );
+		return $ret;
+	}
+}
@@ -79,6 +79,7 @@ public function __construct( MatcherFactory $matcherFactory ) {
 		$this->addKnownProperties( $this->cssSizing4( $matcherFactory ) );
 		$this->addKnownProperties( $this->cssLogical1( $matcherFactory ) );
 		$this->addKnownProperties( $this->cssRuby1( $matcherFactory ) );
+		$this->addKnownProperties( $this->cssLists3( $matcherFactory ) );
 	}
 
 	/**
@@ -138,25 +139,21 @@ protected function css2( MatcherFactory $matcherFactory ) {
 		] );
 
 		// https://www.w3.org/TR/2011/REC-CSS2-20110607/generate.html
-		$props['list-style-type'] = new KeywordMatcher( [
-			'disc', 'circle', 'square', 'decimal', 'decimal-leading-zero', 'lower-roman', 'upper-roman',
-			'lower-greek', 'lower-latin', 'upper-latin', 'armenian', 'georgian', 'lower-alpha',
-			'upper-alpha', 'none'
-		] );
 		$props['content'] = new Alternative( [
 			new KeywordMatcher( [ 'normal', 'none' ] ),
 			Quantifier::plus( new Alternative( [
 				$matcherFactory->string(),
 				// Replaces <url> per https://www.w3.org/TR/css-images-3/#placement
 				$matcherFactory->image(),
+				// Updated by https://www.w3.org/TR/2020/WD-css-lists-3-20201117/#counter-functions
 				new FunctionMatcher( 'counter', new Juxtaposition( [
 					$matcherFactory->ident(),
-					Quantifier::optional( $props['list-style-type'] ),
+					Quantifier::optional( $matcherFactory->counterStyle() ),
 				], true ) ),
 				new FunctionMatcher( 'counters', new Juxtaposition( [
 					$matcherFactory->ident(),
 					$matcherFactory->string(),
-					Quantifier::optional( $props['list-style-type'] ),
+					Quantifier::optional( $matcherFactory->counterStyle() ),
 				], true ) ),
 				new FunctionMatcher( 'attr', $matcherFactory->ident() ),
 				new KeywordMatcher( [ 'open-quote', 'close-quote', 'no-open-quote', 'no-close-quote' ] ),
@@ -167,22 +164,6 @@ protected function css2( MatcherFactory $matcherFactory ) {
 				$matcherFactory->string(), $matcherFactory->string()
 			] ) ),
 		] );
-		$props['counter-reset'] = new Alternative( [
-			$none,
-			Quantifier::plus( new Juxtaposition( [
-				$matcherFactory->ident(), Quantifier::optional( $matcherFactory->integer() )
-			] ) ),
-		] );
-		$props['counter-increment'] = $props['counter-reset'];
-		$props['list-style-image'] = new Alternative( [
-			$none,
-			// Replaces <url> per https://www.w3.org/TR/css-images-3/#placement
-			$matcherFactory->image()
-		] );
-		$props['list-style-position'] = new KeywordMatcher( [ 'inside', 'outside' ] );
-		$props['list-style'] = UnorderedGroup::someOf( [
-			$props['list-style-type'], $props['list-style-position'], $props['list-style-image']
-		] );
 
 		// https://www.w3.org/TR/2011/REC-CSS2-20110607/tables.html
 		$props['caption-side'] = new KeywordMatcher( [ 'top', 'bottom' ] );
@@ -2118,4 +2099,52 @@ protected function cssRuby1( $matcherFactory ) {
 			'ruby-overhang' => new KeywordMatcher( [ 'auto', 'none' ] ),
 		];
 	}
+
+	/**
+	 * CSS Lists and Counters Module Level 3
+	 * @see https://www.w3.org/TR/2020/WD-css-lists-3-20201117/
+	 *
+	 * @param MatcherFactory $matcherFactory
+	 * @return Matcher[]
+	 */
+	protected function cssLists3( MatcherFactory $matcherFactory ) {
+		// @codeCoverageIgnoreStart
+		if ( isset( $this->cache[__METHOD__] ) ) {
+			return $this->cache[__METHOD__];
+		}
+		// @codeCoverageIgnoreEnd
+		$none = new KeywordMatcher( 'none' );
+		$props = [];
+
+		$props['counter-increment'] = $props['counter-reset'] = $props['counter-set'] =
+			new Alternative( [
+				Quantifier::plus( new Juxtaposition( [
+					$matcherFactory->customIdent( [ 'none' ] ),
+					Quantifier::optional( $matcherFactory->integer() )
+				] ) ),
+				$none
+			] );
+
+		$props['list-style-image'] = new Alternative( [
+			$matcherFactory->image(),
+			$none
+		] );
+
+		$props['list-style-position'] = new KeywordMatcher( [ 'inside', 'outside' ] );
+
+		$props['list-style-type'] = new Alternative( [
+			$matcherFactory->counterStyle(),
+			$matcherFactory->string(),
+			$none
+		] );
+
+		$props['list-style'] = UnorderedGroup::someOf( [
+			$props['list-style-position'], $props['list-style-image'], $props['list-style-type']
+		] );
+
+		$props['marker-side'] = new KeywordMatcher( [ 'match-self', 'match-parent' ] );
+
+		$this->cache[__METHOD__] = $props;
+		return $props;
+	}
 }