Added backlisting for certain css properties.

2018-01-09 14:15:06 +01:00 · 2018-01-09 14:15:06 +01:00 · be751c8176
parent c6cb0e5531
commit be751c8176
3 changed files with 45 additions and 0 deletions
--- a/config/initializers/html_sanitizer.rb
+++ b/config/initializers/html_sanitizer.rb
@ -126,3 +126,38 @@ Rails.application.config.html_sanitizer_css_properties_whitelist = {
    border-left-color
  ],
 }
+
+Rails.application.config.html_sanitizer_css_values_backlist = {
+  'table' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'th' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'tr' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'td' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+}
--- a/lib/html_sanitizer.rb
+++ b/lib/html_sanitizer.rb
@ -16,6 +16,7 @@ satinize html string based on whiltelist
    tags_whitelist = Rails.configuration.html_sanitizer_tags_whitelist
    attributes_whitelist = Rails.configuration.html_sanitizer_attributes_whitelist
    css_properties_whitelist = Rails.configuration.html_sanitizer_css_properties_whitelist
+    css_values_blacklist = Rails.application.config.html_sanitizer_css_values_backlist
    classes_whitelist = ['js-signatureMarker']
    attributes_2_css = %w[width height]

@ -146,6 +147,7 @@ satinize html string based on whiltelist
          key = prop[0].strip
          next if !css_properties_whitelist.include?(node.name)
          next if !css_properties_whitelist[node.name].include?(key)
+          next if css_values_blacklist[node.name]&.include?(local_pear.gsub(/[[:space:]]/, '').strip)
          style += "#{local_pear};"
        end
        node['style'] = style
--- a/test/unit/html_sanitizer_test.rb
+++ b/test/unit/html_sanitizer_test.rb
@ -105,6 +105,14 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
 test 123
 <blockquote></blockquote>
 </div>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-Size:0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0em"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style=" Font-size:0%"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')

  end