otwcode · Bilka2 · Feb 10, 2026 · Feb 7, 2026
diff --git a/lib/css_cleaner.rb b/lib/css_cleaner.rb
@@ -234,13 +234,17 @@ def sanitize_css_gradient(value)
   def sanitize_css_value(value)
     value_stripped = strip_value(value)
 
-    # If it's a comma-separated set of valid values, it's fine. However, we need
-    # to downcase any var() functions to match the css_parser gem's downcasing
-    # of property names.
-    if value_stripped.match?(/^(#{VALUE_REGEX},?\s*)+$/i)
-      return value unless value.match?(/#{VAR_FUNCTION_REGEX}/)
-
-      return value.gsub(/#{VAR_FUNCTION_REGEX}/, &:downcase)
+    begin
+      # If it's a comma-separated set of valid values, it's fine. However, we need
+      # to downcase any var() functions to match the css_parser gem's downcasing
+      # of property names.
+      if value_stripped.match?(/^(#{VALUE_REGEX},?\s*)+$/i)
+        return value unless value.match?(/#{VAR_FUNCTION_REGEX}/)
+
+        return value.gsub(/#{VAR_FUNCTION_REGEX}/, &:downcase)
+      end
+    rescue Regexp::TimeoutError
+      # If we fail to match within the timeframe, it is likely that the value is invalid.
     end
 
     # If the value is explicitly in our list of supported keywords, it's fine.

diff --git a/spec/lib/css_cleaner_spec.rb b/spec/lib/css_cleaner_spec.rb
@@ -191,6 +191,12 @@
         expect(skin.save).to be_truthy
         expect(skin.css).to eq("div {\n  color: #ddd !important;\n}\n\n")
       end
+
+      it "strips long invalid property values" do
+        skin = build(:skin, css: "div { color: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!; }")
+        expect(skin.save).to be_falsy
+        expect(skin.css).to eq("")
+      end
     end
 
     context "when cleaning WorkSkin CSS" do