From efb182cdbc6244f7bb80bb74a6a16261dea98dae Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sun, 28 Oct 2018 14:55:19 -0400
Subject: [PATCH] expand set of allowed CSS functions

still omit `url` and `image`

related to #122 and #123
also see #143
---
 lib/loofah/html5/whitelist.rb | 50 +++++++++++++++++++++++++++++++++++
 test/html5/test_sanitizer.rb  |  4 +--
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
index 449c6a7a..4a3fc5af 100644
--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
@@ -642,9 +642,59 @@ module WhiteList
                                           "yellow",
                                         ])
 
+      # see https://www.quackit.com/css/functions/
+      # omit `url` and `image` from that list
       ACCEPTABLE_CSS_FUNCTIONS = Set.new([
+                                           "attr",
+                                           "blur",
+                                           "brightness",
                                            "calc",
+                                           "circle",
+                                           "contrast",
+                                           "counter",
+                                           "counters",
+                                           "cubic-bezier",
+                                           "drop-shadow",
+                                           "ellipse",
+                                           "grayscale",
+                                           "hsl",
+                                           "hsla",
+                                           "hue-rotate",
+                                           "hwb",
+                                           "inset",
+                                           "invert",
+                                           "linear-gradient",
+                                           "matrix",
+                                           "matrix3d",
+                                           "opacity",
+                                           "perspective",
+                                           "polygon",
+                                           "radial-gradient",
+                                           "repeating-linear-gradient",
+                                           "repeating-radial-gradient",
                                            "rgb",
+                                           "rgba",
+                                           "rotate",
+                                           "rotate3d",
+                                           "rotateX",
+                                           "rotateY",
+                                           "rotateZ",
+                                           "saturate",
+                                           "sepia",
+                                           "scale",
+                                           "scale3d",
+                                           "scaleX",
+                                           "scaleY",
+                                           "scaleZ",
+                                           "skew",
+                                           "skewX",
+                                           "skewY",
+                                           "symbols",
+                                           "translate",
+                                           "translate3d",
+                                           "translateX",
+                                           "translateY",
+                                           "translateZ",
                                          ])
 
       SHORTHAND_CSS_PROPERTIES = Set.new([
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
index 3eef9eb2..0a3fad96 100755
--- a/test/html5/test_sanitizer.rb
+++ b/test/html5/test_sanitizer.rb
@@ -298,11 +298,11 @@ def test_css_function_sanitization_leaves_whitelisted_list_style_type
   end
 
   def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
-    html = "<span style=\"width:attr(data-evil-attr)\">"
+    html = "<span style=\"width:url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
 
-    html = "<span style=\"width: attr(data-evil-attr)\">"
+    html = "<span style=\"width: url(data-evil-url)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     assert_match %r/<span><\/span>/, sane.inner_html
   end