From 4a7a379b1da1db19fa5fe08fb4ca6089a9f435c1 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 16:20:11 +0100
Subject: [PATCH 1/6] Update GB hash to point to PR

---
 package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 4d3f3823f0d99..74869994fc741 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
 		"url": "https://develop.svn.wordpress.org/trunk"
 	},
 	"gutenberg": {
-		"ref": "f4d8a5803aa2fbe26e7d9af4d17e80a622b7bab8"
+		"ref": "45dc448e40b13b54416cdc4245844abc277e4d67"
 	},
 	"engines": {
 		"node": ">=20.10.0",
@@ -145,4 +145,4 @@
 		"sync-gutenberg-packages": "grunt sync-gutenberg-packages",
 		"postsync-gutenberg-packages": "grunt wp-packages:sync-stable-blocks && grunt build --dev && grunt build"
 	}
-}
\ No newline at end of file
+}

From 617dbac50eae271dcf1e4b09fede232bc72fb8c3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 17:23:03 +0100
Subject: [PATCH 2/6] Revert Gutenberg change

---
 package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 74869994fc741..4d3f3823f0d99 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
 		"url": "https://develop.svn.wordpress.org/trunk"
 	},
 	"gutenberg": {
-		"ref": "45dc448e40b13b54416cdc4245844abc277e4d67"
+		"ref": "f4d8a5803aa2fbe26e7d9af4d17e80a622b7bab8"
 	},
 	"engines": {
 		"node": ">=20.10.0",
@@ -145,4 +145,4 @@
 		"sync-gutenberg-packages": "grunt sync-gutenberg-packages",
 		"postsync-gutenberg-packages": "grunt wp-packages:sync-stable-blocks && grunt build --dev && grunt build"
 	}
-}
+}
\ No newline at end of file

From 4917a96d5d645013956cbb1686f19750ad86449c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 17:24:14 +0100
Subject: [PATCH 3/6] DROPME: See what happens with other CSS changes

---
 src/wp-content/themes/twentytwentyfive/theme.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-content/themes/twentytwentyfive/theme.json b/src/wp-content/themes/twentytwentyfive/theme.json
index 7daeb0dbd749d..eeceb510ca579 100644
--- a/src/wp-content/themes/twentytwentyfive/theme.json
+++ b/src/wp-content/themes/twentytwentyfive/theme.json
@@ -169,7 +169,7 @@
 				{
 					"name": "Fira Code",
 					"slug": "fira-code",
-					"fontFamily": "\"Fira Code\", monospace",
+					"fontFamily": "\"Fira\\20 Code\", monospace",
 					"fontFace": [
 						{
 							"src": [
@@ -177,7 +177,7 @@
 							],
 							"fontWeight": "300 700",
 							"fontStyle": "normal",
-							"fontFamily": "\"Fira Code\""
+							"fontFamily": "\"Fira\\20 Code\""
 						}
 					]
 				}

From f449b029e2f708c4d049d5f75f38cf5e770caeaf Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 18:16:22 +0100
Subject: [PATCH 4/6] Normalize CSS font face font family on upload

---
 src/wp-includes/fonts/class-wp-font-face.php  |  2 +-
 src/wp-includes/fonts/class-wp-font-utils.php | 43 +++++++++++++++++++
 .../class-wp-rest-font-faces-controller.php   |  2 +-
 ...class-wp-rest-font-families-controller.php |  2 +-
 4 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/fonts/class-wp-font-face.php b/src/wp-includes/fonts/class-wp-font-face.php
index 193a5d0951ddb..25b1b94ceac3c 100644
--- a/src/wp-includes/fonts/class-wp-font-face.php
+++ b/src/wp-includes/fonts/class-wp-font-face.php
@@ -94,7 +94,7 @@ public function generate_and_print( array $fonts ) {
 
 		$processor = new WP_HTML_Tag_Processor( '<style class="wp-fonts-local"></style>' );
 		$processor->next_tag();
-		$processor->set_modifiable_text( "\n{$css}\n" );
+		$processor->set_modifiable_text( "\n{$css}\n/*# sourceURL=wp-fonts-local */\n" );
 		echo "{$processor->get_updated_html()}\n";
 	}
 
diff --git a/src/wp-includes/fonts/class-wp-font-utils.php b/src/wp-includes/fonts/class-wp-font-utils.php
index 0ec36abc3f64b..b01a81a2ed80f 100644
--- a/src/wp-includes/fonts/class-wp-font-utils.php
+++ b/src/wp-includes/fonts/class-wp-font-utils.php
@@ -77,6 +77,49 @@ public static function sanitize_font_family( $font_family ) {
 		return self::maybe_add_quotes( $output );
 	}
 
+	/**
+	 * This transforms a font name string into a valid, quoted, CSS font-family value.
+	 *
+	 * This expects a single font family and produces a single CSS string. This is suitable for the
+	 * `@font-face` at-rule `font-family` descriptor. It is not suitable for the `font-family` property of the same name.
+	 */
+	public static function font_name_to_css_font_face_font_family_value( string $font_family ): string {
+		// Escape existing backslashes before any other processing.
+		$result = strtr( $font_family, array( '\\' => '\\5C ' ) );
+
+		/*
+		 * CSS Unicode escaping for problematic characters.
+		 * https://www.w3.org/TR/css-syntax-3/#escaping
+		 *
+		 * These characters are not required by CSS but may be problematic in WordPress:
+		 *
+		 * - Normalize and replace newlines. https://www.w3.org/TR/css-syntax-3/#input-preprocessing
+		 * - "<", ">", and "&" are replaced to prevent issues with KSES and other sanitization that
+		 *   is confused by HTML-like text.
+		 *   is confused by HTML-like text.
+		 * - `,`, `"` and `'` are replaced to prevent issues where font families may be processed later.
+		 *
+		 * Note that the Unicode escape sequences are used rather than backslash-escaping so the
+		 * problematic characters are removed completely.
+		 */
+		$result = strtr(
+			$result,
+			array(
+				"\r\n" => '\\A ',
+				"\r"   => '\\A ',
+				"\f"   => '\\A ',
+				"\n"   => '\\A ',
+				','    => '\\2C ',
+				'"'    => '\\22 ',
+				"'"    => '\\27 ',
+				'<'    => '\\3C ',
+				'>'    => '\\3E ',
+				'&'    => '\\26 ',
+			)
+		);
+		return "\"{$result}\"";
+	}
+
 	/**
 	 * Generates a slug from font face properties, e.g. `open sans;normal;400;100%;U+0-10FFFF`
 	 *
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php
index 6b1d44d440247..289cf2e8bd1a0 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php
@@ -540,7 +540,7 @@ public function get_item_schema() {
 							'type'        => 'string',
 							'default'     => '',
 							'arg_options' => array(
-								'sanitize_callback' => array( 'WP_Font_Utils', 'sanitize_font_family' ),
+								'sanitize_callback' => array( 'WP_Font_Utils', 'font_name_to_css_font_face_font_family_value' ),
 							),
 						),
 						'fontStyle'             => array(
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php
index a99a885d3945c..5e89d4e226e1e 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php
@@ -344,7 +344,7 @@ public function get_item_schema() {
 							'description' => __( 'CSS font-family value.' ),
 							'type'        => 'string',
 							'arg_options' => array(
-								'sanitize_callback' => array( 'WP_Font_Utils', 'sanitize_font_family' ),
+								'sanitize_callback' => array( 'WP_Font_Utils', 'font_name_to_css_font_face_font_family_value' ),
 							),
 						),
 						'preview'    => array(

From 121b339df3d98bebcd9278d701643ac091e087d5 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 18:44:52 +0100
Subject: [PATCH 5/6] Revert theme test change

---
 src/wp-content/themes/twentytwentyfive/theme.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-content/themes/twentytwentyfive/theme.json b/src/wp-content/themes/twentytwentyfive/theme.json
index eeceb510ca579..7daeb0dbd749d 100644
--- a/src/wp-content/themes/twentytwentyfive/theme.json
+++ b/src/wp-content/themes/twentytwentyfive/theme.json
@@ -169,7 +169,7 @@
 				{
 					"name": "Fira Code",
 					"slug": "fira-code",
-					"fontFamily": "\"Fira\\20 Code\", monospace",
+					"fontFamily": "\"Fira Code\", monospace",
 					"fontFace": [
 						{
 							"src": [
@@ -177,7 +177,7 @@
 							],
 							"fontWeight": "300 700",
 							"fontStyle": "normal",
-							"fontFamily": "\"Fira\\20 Code\""
+							"fontFamily": "\"Fira Code\""
 						}
 					]
 				}

From 7eaf9d2bfc347f4bdc87bcd6ad66db7486194988 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Mar 2026 18:45:21 +0100
Subject: [PATCH 6/6] Revert sourceURL addition

---
 src/wp-includes/fonts/class-wp-font-face.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/fonts/class-wp-font-face.php b/src/wp-includes/fonts/class-wp-font-face.php
index 25b1b94ceac3c..193a5d0951ddb 100644
--- a/src/wp-includes/fonts/class-wp-font-face.php
+++ b/src/wp-includes/fonts/class-wp-font-face.php
@@ -94,7 +94,7 @@ public function generate_and_print( array $fonts ) {
 
 		$processor = new WP_HTML_Tag_Processor( '<style class="wp-fonts-local"></style>' );
 		$processor->next_tag();
-		$processor->set_modifiable_text( "\n{$css}\n/*# sourceURL=wp-fonts-local */\n" );
+		$processor->set_modifiable_text( "\n{$css}\n" );
 		echo "{$processor->get_updated_html()}\n";
 	}