Added backlisting for certain css properties.

This commit is contained in:
Martin Edenhofer 2018-01-09 14:15:06 +01:00
parent c6cb0e5531
commit be751c8176
3 changed files with 45 additions and 0 deletions

View file

@ -126,3 +126,38 @@ Rails.application.config.html_sanitizer_css_properties_whitelist = {
border-left-color
],
}
Rails.application.config.html_sanitizer_css_values_backlist = {
'table' => [
'font-size:0',
'font-size:0px',
'font-size:0em',
'font-size:0%',
'display:none',
'visibility:hidden',
],
'th' => [
'font-size:0',
'font-size:0px',
'font-size:0em',
'font-size:0%',
'display:none',
'visibility:hidden',
],
'tr' => [
'font-size:0',
'font-size:0px',
'font-size:0em',
'font-size:0%',
'display:none',
'visibility:hidden',
],
'td' => [
'font-size:0',
'font-size:0px',
'font-size:0em',
'font-size:0%',
'display:none',
'visibility:hidden',
],
}

View file

@ -16,6 +16,7 @@ satinize html string based on whiltelist
tags_whitelist = Rails.configuration.html_sanitizer_tags_whitelist
attributes_whitelist = Rails.configuration.html_sanitizer_attributes_whitelist
css_properties_whitelist = Rails.configuration.html_sanitizer_css_properties_whitelist
css_values_blacklist = Rails.application.config.html_sanitizer_css_values_backlist
classes_whitelist = ['js-signatureMarker']
attributes_2_css = %w[width height]
@ -146,6 +147,7 @@ satinize html string based on whiltelist
key = prop[0].strip
next if !css_properties_whitelist.include?(node.name)
next if !css_properties_whitelist[node.name].include?(key)
next if css_values_blacklist[node.name]&.include?(local_pear.gsub(/[[:space:]]/, '').strip)
style += "#{local_pear};"
end
node['style'] = style

View file

@ -105,6 +105,14 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
test 123
<blockquote></blockquote>
</div>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-Size:0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0em"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style=" Font-size:0%"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
end