Update CSS sanitization safelist to support variables

[ghost]

Imported from https://meta.trac.wordpress.org/ticket/4108 Created by @iandunn:

Most browsers support CSS variables now, but they're stripped out by the Jetpack validation process, or the Remote CSS sanitization process.

https://wordpress.slack.com/archives/C08M59V3P/p1548543160179600

Either way, it's probably just because the syntax is new, and the safelist needs to be updated to support it.

1. Determine which code needs to be updated (Jetpack's Custom CSS module, WordCamp.org's mu-plugins/jetpack-tweaks/css-sanitization.php, or both)
2. If Jetpack, open an issue on their GitHub and add a link to this report
3. If Remote CSS, add unit tests, and create patch to make them pass. If there are any ways to inject JavaScript, expressions, etc through the new syntax, then tests should be written for that as well. If the problem turns out to be in sanitize_urls_in_css_properties(), let me know before writing a patch since I have some notes about a potential bug there.

[ghost]

Comment by slackbot:

This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.

[ghost]

Comment by @iandunn:

• Status set to assigned

[ghost]

Comment by slackbot:

This ticket was mentioned in Slack in #meta-wordcamp by ryelle. View the logs.

[ryelle]

Possible Jetpack fix: https://github.com/Automattic/jetpack/pull/20129

[ryelle]

The Jetpack issue says the problem was fixed, so this is worth looking into again.

[iandunn]

It doesn't look like that fixed it, so I think we need to track https://github.com/Automattic/jetpack/issues/19669.

[ryelle]

Core has supported adding CSS for a while now, are there sanitization functions that we could use there, instead of relying on Jetpack? The editor in Site Editor > Styles > Additional CSS does allow custom properties, so whatever it's using should allow modern CSS.