fix: disallow certain dangerous LESS features

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

framework/core/locale/core.yml

@@ -18,6 +18,7 @@ core:
       custom_footer_text: => core.ref.custom_footer_text
       custom_header_heading: Custom Header
       custom_header_text: => core.ref.custom_header_text
+      custom_styles_cannot_use_less_features: "The @import and data-uri features are not allowed in custom LESS."
       custom_styles_heading: Custom Styles
       custom_styles_text: Customize your forum's appearance by adding your own Less/CSS code to be applied on top of Flarum's default styles.
       dark_mode_label: Dark Mode

framework/core/src/Forum/ValidateCustomLess.php

@@ -21,6 +21,7 @@ use Illuminate\Filesystem\FilesystemAdapter;
 use League\Flysystem\Adapter\NullAdapter;
 use League\Flysystem\Filesystem;
 use Less_Exception_Parser;
+use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
  * @internal
@@ -61,6 +62,15 @@ class ValidateCustomLess
             return;
         }
 
+        // Restrict what features can be used in custom LESS
+        if (preg_match('/@import|data-uri\s*\(/i', $event->settings['custom_less'])) {
+            $translator = $this->container->make(TranslatorInterface::class);
+
+            throw new ValidationException([
+                'custom_less' => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
+            ]);
+        }
+
         // We haven't saved the settings yet, but we want to trial a full
         // recompile of the CSS to see if this custom LESS will break
         // anything. In order to do that, we will temporarily override the