Merge pull request #192 from b7kich/maintain_shorthand_css_important_…

…rule

fixed #191: scrub_css drops !important rule from shorthand css properties

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## unreleased
+
+### Fixes
+
+* Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!)
+
+
 ## 2.6.0 / 2020-06-16
 
 ### Features

lib/loofah/html5/scrub.rb

@@ -8,6 +8,7 @@ module Scrub
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
       CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
+      CSS_IMPORTANT = '!important'
 
       class << self
         def allowed_element?(element_name)
@@ -90,6 +91,7 @@ def scrub_css(style)
                 end
               end.compact
               unless value.empty?
+                value << CSS_IMPORTANT if node[:important]
                 propstring = sprintf "%s:%s", name, value.join(" ")
                 sanitized_node = Crass.parse_properties(propstring).first
                 sanitized_tree << sanitized_node << CRASS_SEMICOLON

test/assets/testdata_sanitizer_tests1.dat

@@ -486,6 +486,14 @@
     "rexml": "<div style='color: blue;'></div>"
   },
 
+  {
+    "name": "style_attr_shorthand_important",
+    "input": "<div style=\"border: 2px dashed gray !important;\" />",
+    "output": "<div style='border:2px dashed gray !important;'/>",
+    "xhtml": "<div style='border:2px dashed gray !important;'></div>",
+    "rexml": "<div style='border:2px dashed gray !important;'></div>"
+  },
+
   {
    "name": "attributes_with_embedded_quotes",
    "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",