Added backlisting for certain css properties.
This commit is contained in:
parent
c6cb0e5531
commit
be751c8176
3 changed files with 45 additions and 0 deletions
|
@ -126,3 +126,38 @@ Rails.application.config.html_sanitizer_css_properties_whitelist = {
|
||||||
border-left-color
|
border-left-color
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Rails.application.config.html_sanitizer_css_values_backlist = {
|
||||||
|
'table' => [
|
||||||
|
'font-size:0',
|
||||||
|
'font-size:0px',
|
||||||
|
'font-size:0em',
|
||||||
|
'font-size:0%',
|
||||||
|
'display:none',
|
||||||
|
'visibility:hidden',
|
||||||
|
],
|
||||||
|
'th' => [
|
||||||
|
'font-size:0',
|
||||||
|
'font-size:0px',
|
||||||
|
'font-size:0em',
|
||||||
|
'font-size:0%',
|
||||||
|
'display:none',
|
||||||
|
'visibility:hidden',
|
||||||
|
],
|
||||||
|
'tr' => [
|
||||||
|
'font-size:0',
|
||||||
|
'font-size:0px',
|
||||||
|
'font-size:0em',
|
||||||
|
'font-size:0%',
|
||||||
|
'display:none',
|
||||||
|
'visibility:hidden',
|
||||||
|
],
|
||||||
|
'td' => [
|
||||||
|
'font-size:0',
|
||||||
|
'font-size:0px',
|
||||||
|
'font-size:0em',
|
||||||
|
'font-size:0%',
|
||||||
|
'display:none',
|
||||||
|
'visibility:hidden',
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@ satinize html string based on whiltelist
|
||||||
tags_whitelist = Rails.configuration.html_sanitizer_tags_whitelist
|
tags_whitelist = Rails.configuration.html_sanitizer_tags_whitelist
|
||||||
attributes_whitelist = Rails.configuration.html_sanitizer_attributes_whitelist
|
attributes_whitelist = Rails.configuration.html_sanitizer_attributes_whitelist
|
||||||
css_properties_whitelist = Rails.configuration.html_sanitizer_css_properties_whitelist
|
css_properties_whitelist = Rails.configuration.html_sanitizer_css_properties_whitelist
|
||||||
|
css_values_blacklist = Rails.application.config.html_sanitizer_css_values_backlist
|
||||||
classes_whitelist = ['js-signatureMarker']
|
classes_whitelist = ['js-signatureMarker']
|
||||||
attributes_2_css = %w[width height]
|
attributes_2_css = %w[width height]
|
||||||
|
|
||||||
|
@ -146,6 +147,7 @@ satinize html string based on whiltelist
|
||||||
key = prop[0].strip
|
key = prop[0].strip
|
||||||
next if !css_properties_whitelist.include?(node.name)
|
next if !css_properties_whitelist.include?(node.name)
|
||||||
next if !css_properties_whitelist[node.name].include?(key)
|
next if !css_properties_whitelist[node.name].include?(key)
|
||||||
|
next if css_values_blacklist[node.name]&.include?(local_pear.gsub(/[[:space:]]/, '').strip)
|
||||||
style += "#{local_pear};"
|
style += "#{local_pear};"
|
||||||
end
|
end
|
||||||
node['style'] = style
|
node['style'] = style
|
||||||
|
|
|
@ -105,6 +105,14 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
|
||||||
test 123
|
test 123
|
||||||
<blockquote></blockquote>
|
<blockquote></blockquote>
|
||||||
</div>')
|
</div>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-Size:0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0em"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style=" Font-size:0%"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue