scrub_css should not drop !important from shorthand css props

part of flavorjones#191
b7kich · Aug 26, 2020 · 50931f4 · 50931f4
1 parent 1ce8698
commit 50931f4
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -8,6 +8,7 @@ module Scrub
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
       CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
+      CSS_IMPORTANT = '!important'
 
       class << self
         def allowed_element?(element_name)
@@ -90,6 +91,7 @@ def scrub_css(style)
                 end
               end.compact
               unless value.empty?
+                value += [CSS_IMPORTANT] if node[:important]
                 propstring = sprintf "%s:%s", name, value.join(" ")
                 sanitized_node = Crass.parse_properties(propstring).first
                 sanitized_tree << sanitized_node << CRASS_SEMICOLON

diff --git a/test/assets/testdata_sanitizer_tests1.dat b/test/assets/testdata_sanitizer_tests1.dat
@@ -486,6 +486,14 @@
     "rexml": "<div style='color: blue;'></div>"
   },
 
+ {
+    "name": "style_attr_shorhand_important",
+    "input": "<div style=\"border: 2px dashed gray !important;\" />",
+    "output": "<div style='border:2px dashed gray !important;/>",
+    "xhtml": "<div style='border:2px dashed gray !important;'></div>",
+    "rexml": "<div style='border:2px dashed gray !important;'></div>"
+  },
+
   {
    "name": "attributes_with_embedded_quotes",
    "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",