From be751c8176e034ca3d411a070b37db8c637a9602 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Tue, 9 Jan 2018 14:15:06 +0100
Subject: [PATCH] Added backlisting for certain css properties.

---
 config/initializers/html_sanitizer.rb | 35 +++++++++++++++++++++++++++
 lib/html_sanitizer.rb                 |  2 ++
 test/unit/html_sanitizer_test.rb      |  8 ++++++
 3 files changed, 45 insertions(+)

diff --git a/config/initializers/html_sanitizer.rb b/config/initializers/html_sanitizer.rb
index 5d7716340..26dedb014 100644
--- a/config/initializers/html_sanitizer.rb
+++ b/config/initializers/html_sanitizer.rb
@@ -126,3 +126,38 @@ Rails.application.config.html_sanitizer_css_properties_whitelist = {
     border-left-color
   ],
 }
+
+Rails.application.config.html_sanitizer_css_values_backlist = {
+  'table' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'th' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'tr' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+  'td' => [
+    'font-size:0',
+    'font-size:0px',
+    'font-size:0em',
+    'font-size:0%',
+    'display:none',
+    'visibility:hidden',
+  ],
+}
diff --git a/lib/html_sanitizer.rb b/lib/html_sanitizer.rb
index d54a5f0fe..2b4ebf716 100644
--- a/lib/html_sanitizer.rb
+++ b/lib/html_sanitizer.rb
@@ -16,6 +16,7 @@ satinize html string based on whiltelist
     tags_whitelist = Rails.configuration.html_sanitizer_tags_whitelist
     attributes_whitelist = Rails.configuration.html_sanitizer_attributes_whitelist
     css_properties_whitelist = Rails.configuration.html_sanitizer_css_properties_whitelist
+    css_values_blacklist = Rails.application.config.html_sanitizer_css_values_backlist
     classes_whitelist = ['js-signatureMarker']
     attributes_2_css = %w[width height]
 
@@ -146,6 +147,7 @@ satinize html string based on whiltelist
           key = prop[0].strip
           next if !css_properties_whitelist.include?(node.name)
           next if !css_properties_whitelist[node.name].include?(key)
+          next if css_values_blacklist[node.name]&.include?(local_pear.gsub(/[[:space:]]/, '').strip)
           style += "#{local_pear};"
         end
         node['style'] = style
diff --git a/test/unit/html_sanitizer_test.rb b/test/unit/html_sanitizer_test.rb
index f441499a9..a9e9e629b 100644
--- a/test/unit/html_sanitizer_test.rb
+++ b/test/unit/html_sanitizer_test.rb
@@ -105,6 +105,14 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
 test 123
 <blockquote></blockquote>
 </div>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-Size:0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0em"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style=" Font-size:0%"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
+    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
 
   end