whitelist CSS function rgb

[fixes #129] [related to #122] [related to #123]
flavorjones · Feb 11, 2018 · 6b81467 · 6b81467
1 parent 9b13194
commit 6b81467
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,7 @@ Features:
 * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
 * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
 * Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
-* Support for whitelisting CSS functions, initially just `calc`. #122/#123 (Thanks, @NikoRoberts!)
+* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
 
 
 Bugfixes:

diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
@@ -137,7 +137,7 @@ module WhiteList
       purple red right solid silver teal top transparent underline white
       yellow]
 
-      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc]
+      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
 
       SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
 

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -275,16 +275,30 @@ def test_css_negative_value_sanitization_shorthand_css_properties
     assert_match %r/-0.05em/, sane.inner_html
   end
 
-  def test_css_function_sanitization_leaves_whitelisted_functions
+  def test_css_function_sanitization_leaves_whitelisted_functions_calc
     html = "<span style=\"width:calc(5%)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/calc\(5%\)/, sane.inner_html
+
+    html = "<span style=\"width: calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_functions_rgb
+    html = '<span style="color: rgb(255, 0, 0)">'
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/rgb\(255, 0, 0\)/, sane.inner_html
   end
 
   def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
     html = "<span style=\"width:attr(data-evil-attr)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
+
+    html = "<span style=\"width: attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
   end
 
   def test_issue_90_slow_regex