We'd like to sponsor less.js! #3662
Description
Hello @matthew-dean !
We use the less.js plugin in our platform to allow users to write less to customise pages which get displayed on our client's sites.
Our company, Mention Me (https://mention-me.com), would love to be able to contribute back to the less community, so I'd like to open up a conversation to see if you or your team would be willing to take on some sponsored work if we would be willing to pay for it.
There are some security concerns which have been flagged by our annual penetration test relating to our use of this library. As we allow user input to go through the less compiler, there are lots of things we need to be careful with.
We have some code snippets which our pen test found which can result in a reverse shell being opened, so in the interest of security, I'll leave them out of this issue - feel free to contact me directly and I can share them with you (matt.gill@mention-me.com)
Some ideas which would be great to introduce via the lessc flags might be the following
--disable-at-rules-all # (Disable ALL at rules)
--disable-at-rules-import # (Disable all @import)
--disable-at-rules-plugin # (Disable all @plugin)
--enabled-at-rules=media,supports
...
--remote-file-approved-domains=https://foo.com,https://bar.com
--remote-file-enforce-https
Would this be something you'd be willing to have a conversation with us about? Ideally we'd be able to contribute these directly by raising a PR, but we'd like to get the owner of the module who knows the code best to introduce the changes.
cc @edhgoose