fix(export): escape line terminators in Tailwind v4 CSS string values#122
Open
rmyndharis wants to merge 1 commit into
Open
fix(export): escape line terminators in Tailwind v4 CSS string values#122rmyndharis wants to merge 1 commit into
rmyndharis wants to merge 1 commit into
Conversation
cssStringLiteral escaped only backslash and double-quote. A font-family value containing a raw newline, carriage return, or form feed (legal via a YAML quoted or block scalar) was emitted verbatim inside the CSS string literal, where raw line terminators are illegal and can break the value out of the @theme token. Emit them as CSS hex escapes (e.g. `\a `).
rajpratham1
approved these changes
Jun 25, 2026
rajpratham1
left a comment
rajpratham1
left a comment
There was a problem hiding this comment.
This is a well-scoped bug fix that improves the correctness of the generated Tailwind v4 CSS. Escaping line terminators (\n, \r, and \f) as CSS hex escapes prevents invalid CSS string literals while preserving the intended value. The accompanying regression test clearly covers the reported edge case and verifies that raw newlines no longer appear in the emitted output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Tailwind v4 exporter wraps font-family values with
cssStringLiteral, which escaped only\and". A value containing a raw newline / carriage return / form feed — valid via a YAML double-quoted or block scalar in a DESIGN.md — was emitted verbatim inside the@themeCSS string literal. Raw line terminators are illegal inside a CSS string and can break the value out of the quoted token, producing malformed CSS.This complements the existing token-name validation (which already rejects non-identifier names): names are validated, and string values are now fully escaped.
Fix
Escape
\n,\r, and\fas CSS hex escapes (e.g.\a) incssStringLiteral, alongside the existing\/"escaping.Testing
bun test: 283 pass, 1 skip, 0 fail (added a test: a font-family containing a newline emits"Evil\a Family"with no raw newline)bun run lint(tsc --noEmit): clean