From 50931f4a4309f34bc15daf4ff2f3d649e7972448 Mon Sep 17 00:00:00 2001 From: Christian Kissner Date: Tue, 25 Aug 2020 17:00:04 +0000 Subject: [PATCH 1/3] scrub_css should not drop `!important` from shorthand css props part of #191 --- lib/loofah/html5/scrub.rb | 2 ++ test/assets/testdata_sanitizer_tests1.dat | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 6375d15a..8a4c806d 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -8,6 +8,7 @@ module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } + CSS_IMPORTANT = '!important' class << self def allowed_element?(element_name) @@ -90,6 +91,7 @@ def scrub_css(style) end end.compact unless value.empty? + value += [CSS_IMPORTANT] if node[:important] propstring = sprintf "%s:%s", name, value.join(" ") sanitized_node = Crass.parse_properties(propstring).first sanitized_tree << sanitized_node << CRASS_SEMICOLON diff --git a/test/assets/testdata_sanitizer_tests1.dat b/test/assets/testdata_sanitizer_tests1.dat index c7a5f063..b5646464 100644 --- a/test/assets/testdata_sanitizer_tests1.dat +++ b/test/assets/testdata_sanitizer_tests1.dat @@ -486,6 +486,14 @@ "rexml": "
" }, + { + "name": "style_attr_shorhand_important", + "input": "
", + "output": "
", + "rexml": "
" + }, + { "name": "attributes_with_embedded_quotes", "input": "", From ea6fe90fb6f31e1457b79444511584a872570e51 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 26 Aug 2020 15:13:30 -0400 Subject: [PATCH 2/3] prefer Array#<< to creating a new array and clean up test data part of #191 --- lib/loofah/html5/scrub.rb | 2 +- test/assets/testdata_sanitizer_tests1.dat | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 8a4c806d..e2e3d70e 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -91,7 +91,7 @@ def scrub_css(style) end end.compact unless value.empty? - value += [CSS_IMPORTANT] if node[:important] + value << CSS_IMPORTANT if node[:important] propstring = sprintf "%s:%s", name, value.join(" ") sanitized_node = Crass.parse_properties(propstring).first sanitized_tree << sanitized_node << CRASS_SEMICOLON diff --git a/test/assets/testdata_sanitizer_tests1.dat b/test/assets/testdata_sanitizer_tests1.dat index b5646464..a7298ac5 100644 --- a/test/assets/testdata_sanitizer_tests1.dat +++ b/test/assets/testdata_sanitizer_tests1.dat @@ -486,10 +486,10 @@ "rexml": "
" }, - { - "name": "style_attr_shorhand_important", + { + "name": "style_attr_shorthand_important", "input": "
", - "output": "
", "xhtml": "
", "rexml": "
" }, From 0aba0b996e0090fc6e4dde3477eb4dd3edba80aa Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 26 Aug 2020 15:16:56 -0400 Subject: [PATCH 3/3] update CHANGELOG part of #191 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c7bdfbc..df15c024 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## unreleased + +### Fixes + +* Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!) + + ## 2.6.0 / 2020-06-16 ### Features