Merge pull request #178 from JuanitoFatas/allow-more-css-values

[CSS Sanitizer] Allow more css length units
flavorjones · Nov 29, 2019 · 3133e33 · 3133e33
2 parents 9c39a16 + bab56b5
commit 3133e33
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -6,7 +6,7 @@ module Loofah
   module HTML5 # :nodoc:
     module Scrub
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
-      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
       CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
 
       class << self

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -299,6 +299,48 @@ def test_css_rem_value
     assert_match %r/10rem/, sane.inner_html
   end
 
+  def test_css_ch_value
+    html = "<div style=\"width:60ch;\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/60ch/, sane.inner_html
+  end
+
+  def test_css_vw_value
+    html = "<div style=\"font-size: calc(16px + 1vw);\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/1vw/, sane.inner_html
+  end
+
+  def test_css_vh_value
+    html = "<div style=\"height: 100vh;\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/100vh/, sane.inner_html
+  end
+
+  def test_css_Q_value
+    html = "<div style=\"height: 10Q;\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/10Q/, sane.inner_html
+  end
+
+  def test_css_lh_value
+    html = "<p style=\"line-height: 2lh;\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/2lh/, sane.inner_html
+  end
+
+  def test_css_vmin_value
+    html = "<div style=\"width: 42vmin;\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/42vmin/, sane.inner_html
+  end
+
+  def test_css_vmax_value
+    html = "<div style=\"width: 42vmax;\"></body>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/42vmax/, sane.inner_html
+  end
+
   def test_css_function_sanitization_leaves_safelisted_functions_calc
     html = "<span style=\"width:calc(5%)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)