diff --git a/CHANGELOG.md b/CHANGELOG.md index 52331f8..f45670c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## unreleased + +### Features + +* Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)] + + ## 2.18.0 / 2022-05-11 ### Features diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb index 43faccd..287b435 100644 --- a/lib/loofah/html5/safelist.rb +++ b/lib/loofah/html5/safelist.rb @@ -742,7 +742,153 @@ module SafeList # https://www.w3.org/TR/css-color-3/#svg-color ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([ + "aliceblue", + "antiquewhite", + "aqua", + "aquamarine", + "azure", + "beige", + "bisque", + "black", + "blanchedalmond", + "blue", + "blueviolet", "brown", + "burlywood", + "cadetblue", + "chartreuse", + "chocolate", + "coral", + "cornflowerblue", + "cornsilk", + "crimson", + "cyan", + "darkblue", + "darkcyan", + "darkgoldenrod", + "darkgray", + "darkgreen", + "darkgrey", + "darkkhaki", + "darkmagenta", + "darkolivegreen", + "darkorange", + "darkorchid", + "darkred", + "darksalmon", + "darkseagreen", + "darkslateblue", + "darkslategray", + "darkslategrey", + "darkturquoise", + "darkviolet", + "deeppink", + "deepskyblue", + "dimgray", + "dimgrey", + "dodgerblue", + "firebrick", + "floralwhite", + "forestgreen", + "fuchsia", + "gainsboro", + "ghostwhite", + "gold", + "goldenrod", + "gray", + "green", + "greenyellow", + "grey", + "honeydew", + "hotpink", + "indianred", + "indigo", + "ivory", + "khaki", + "lavender", + "lavenderblush", + "lawngreen", + "lemonchiffon", + "lightblue", + "lightcoral", + "lightcyan", + "lightgoldenrodyellow", + "lightgray", + "lightgreen", + "lightgrey", + "lightpink", + "lightsalmon", + "lightseagreen", + "lightskyblue", + "lightslategray", + "lightslategrey", + "lightsteelblue", + "lightyellow", + "lime", + "limegreen", + "linen", + "magenta", + "maroon", + "mediumaquamarine", + "mediumblue", + "mediumorchid", + "mediumpurple", + "mediumseagreen", + "mediumslateblue", + "mediumspringgreen", + "mediumturquoise", + "mediumvioletred", + "midnightblue", + "mintcream", + "mistyrose", + "moccasin", + "navajowhite", + "navy", + "oldlace", + "olive", + "olivedrab", + "orange", + "orangered", + "orchid", + "palegoldenrod", + "palegreen", + "paleturquoise", + "palevioletred", + "papayawhip", + "peachpuff", + "peru", + "pink", + "plum", + "powderblue", + "purple", + "red", + "rosybrown", + "royalblue", + "saddlebrown", + "salmon", + "sandybrown", + "seagreen", + "seashell", + "sienna", + "silver", + "skyblue", + "slateblue", + "slategray", + "slategrey", + "snow", + "springgreen", + "steelblue", + "tan", + "teal", + "thistle", + "tomato", + "turquoise", + "violet", + "wheat", + "white", + "whitesmoke", + "yellow", + "yellowgreen", ]) # see https://www.quackit.com/css/functions/ diff --git a/test/html5/test_scrub_css.rb b/test/html5/test_scrub_css.rb index 28de773..4929143 100644 --- a/test/html5/test_scrub_css.rb +++ b/test/html5/test_scrub_css.rb @@ -58,4 +58,22 @@ class UnitHTML5Scrub < Loofah::TestCase assert_empty(Loofah::HTML5::Scrub.scrub_css(%q(font-family:"AvenirNext-Regular';))) end end + + describe "colors" do + it "allows basic and extended colors" do + text = %q(background-color:blue;) + assert_equal(text, Loofah::HTML5::Scrub.scrub_css(text)) + + text = %q(background-color:brown;) + assert_equal(text, Loofah::HTML5::Scrub.scrub_css(text)) + + text = %q(background-color:lightblue;) + assert_equal(text, Loofah::HTML5::Scrub.scrub_css(text)) + end + + it "does not allow non-colors" do + text = %q(background-color:blurple;) + assert_empty(Loofah::HTML5::Scrub.scrub_css(text)) + end + end end