expand set of allowed CSS functions

still omit `url` and `image`

related to #122 and #123
also see #143

lib/loofah/html5/whitelist.rb

@@ -642,9 +642,59 @@ module WhiteList
                                           "yellow",
                                         ])
 
+      # see https://www.quackit.com/css/functions/
+      # omit `url` and `image` from that list
       ACCEPTABLE_CSS_FUNCTIONS = Set.new([
+                                           "attr",
+                                           "blur",
+                                           "brightness",
                                            "calc",
+                                           "circle",
+                                           "contrast",
+                                           "counter",
+                                           "counters",
+                                           "cubic-bezier",
+                                           "drop-shadow",
+                                           "ellipse",
+                                           "grayscale",
+                                           "hsl",
+                                           "hsla",
+                                           "hue-rotate",
+                                           "hwb",
+                                           "inset",
+                                           "invert",
+                                           "linear-gradient",
+                                           "matrix",
+                                           "matrix3d",
+                                           "opacity",
+                                           "perspective",
+                                           "polygon",
+                                           "radial-gradient",
+                                           "repeating-linear-gradient",
+                                           "repeating-radial-gradient",
                                            "rgb",
+                                           "rgba",
+                                           "rotate",
+                                           "rotate3d",
+                                           "rotateX",
+                                           "rotateY",
+                                           "rotateZ",
+                                           "saturate",
+                                           "sepia",
+                                           "scale",
+                                           "scale3d",
+                                           "scaleX",
+                                           "scaleY",
+                                           "scaleZ",
+                                           "skew",
+                                           "skewX",
+                                           "skewY",
+                                           "symbols",
+                                           "translate",
+                                           "translate3d",
+                                           "translateX",
+                                           "translateY",
+                                           "translateZ",
                                          ])
 
       SHORTHAND_CSS_PROPERTIES = Set.new([

test/html5/test_sanitizer.rb

@@ -298,11 +298,11 @@ def test_css_function_sanitization_leaves_whitelisted_list_style_type
   end
 
   def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
-    html = "<span style=\"width:attr(data-evil-attr)\">"
+    html = "<span style=\"width:url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
 
-    html = "<span style=\"width: attr(data-evil-attr)\">"
+    html = "<span style=\"width: url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
   end