Merge pull request #177 from flavorjones/176-allow-rem-css-sizes

css sanitizer allows "rem" sizes
flavorjones · Nov 25, 2019 · 2767ae3 · 2767ae3
2 parents e5a9ae8 + 13f734f
commit 2767ae3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -6,7 +6,7 @@ module HTML5 # :nodoc:
     module Scrub
 
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
-      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
       CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
 
       class << self

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -294,6 +294,12 @@ def test_css_high_precision_value_shorthand_css_properties
     assert_match %r/0.3333333334em/, sane.inner_html
   end
 
+  def test_css_rem_value
+    html = "<span style=\"margin-top:10rem;\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/10rem/, sane.inner_html
+  end
+
   def test_css_function_sanitization_leaves_safelisted_functions_calc
     html = "<span style=\"width:calc(5%)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)