diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
index 449c6a7a..4a3fc5af 100644
--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
@@ -642,9 +642,59 @@ module WhiteList
"yellow",
])
+ # see https://www.quackit.com/css/functions/
+ # omit `url` and `image` from that list
ACCEPTABLE_CSS_FUNCTIONS = Set.new([
+ "attr",
+ "blur",
+ "brightness",
"calc",
+ "circle",
+ "contrast",
+ "counter",
+ "counters",
+ "cubic-bezier",
+ "drop-shadow",
+ "ellipse",
+ "grayscale",
+ "hsl",
+ "hsla",
+ "hue-rotate",
+ "hwb",
+ "inset",
+ "invert",
+ "linear-gradient",
+ "matrix",
+ "matrix3d",
+ "opacity",
+ "perspective",
+ "polygon",
+ "radial-gradient",
+ "repeating-linear-gradient",
+ "repeating-radial-gradient",
"rgb",
+ "rgba",
+ "rotate",
+ "rotate3d",
+ "rotateX",
+ "rotateY",
+ "rotateZ",
+ "saturate",
+ "sepia",
+ "scale",
+ "scale3d",
+ "scaleX",
+ "scaleY",
+ "scaleZ",
+ "skew",
+ "skewX",
+ "skewY",
+ "symbols",
+ "translate",
+ "translate3d",
+ "translateX",
+ "translateY",
+ "translateZ",
])
SHORTHAND_CSS_PROPERTIES = Set.new([
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
index 3eef9eb2..0a3fad96 100755
--- a/test/html5/test_sanitizer.rb
+++ b/test/html5/test_sanitizer.rb
@@ -298,11 +298,11 @@ def test_css_function_sanitization_leaves_whitelisted_list_style_type
end
def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
- html = ""
+ html = ""
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
assert_match %r/<\/span>/, sane.inner_html
- html = ""
+ html = ""
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
assert_match %r/<\/span>/, sane.inner_html
end