Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS Scrubber is removing the builtin extended CSS color properties in >= v2.9.0 #243

Closed
rocketedaway opened this issue Sep 12, 2022 · 5 comments · Fixed by #244
Closed

CSS Scrubber is removing the builtin extended CSS color properties in >= v2.9.0 #243

rocketedaway opened this issue Sep 12, 2022 · 5 comments · Fixed by #244

Comments

@rocketedaway
Copy link

rocketedaway commented Sep 12, 2022
edited

Expected

When scrubbing HTML which makes use of the builtin extended CSS color properties in the style property they are not removed.

Actual

Builtin extended CSS color properties included in the style property of HTML strings are being removed.

Reproduction steps

The issue looks to be introduced in v2.9.0

  • Install Loofa v2.8.0
  • Run the following command in your ruby console
    • Loofah.fragment('<div style="background-color: blue;">Test</div>').scrub!(:strip).to_s
  • You will get the following HTML string back <div style=\"background:blue;\">Test</div>
  • Run the following command in your ruby console
    • Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
  • You will get the following HTML string back <div style=\"background-color: lightblue;\">Test</div>
  • Install Loofa v2.9.0
    • This can be any version >= 2.9.0
  • Run the following command in your ruby console
    • Loofah.fragment('<div style="background-color: blue;">Test</div>').scrub!(:strip).to_s
  • You will get the following HTML string back <div style=\"background:blue;\">Test</div>
  • Run the following command in your ruby console
    • Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
  • You will get the following HTML string back <div>Test</div>
    • I would expect <div style="background-color: lightblue;">Test</div>
@flavorjones
Copy link
Owner

Hi, thanks for reporting this. For clarity, I think this is what you're saying is happening? (The code snippets above are inconsistent so I just want to make sure I understand.)

#! /usr/bin/env ruby

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "loofah", "= 2.8.0"
end


Loofah.fragment('<div style="background-color: blue;">Test</div>').scrub!(:strip).to_s
# => "<div style=\"background-color: blue;\">Test</div>"

Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
# => "<div style=\"background-color: lightblue;\">Test</div>"
#! /usr/bin/env ruby

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "loofah", "= 2.18.0"
end


Loofah.fragment('<div style="background-color: blue;">Test</div>').scrub!(:strip).to_s
# => "<div style=\"background-color:blue;\">Test</div>"

Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
# => "<div>Test</div>"

and we expect that lightblue should be an acceptable color in loofah 2.18.0 and behave the same as blue.

I'll investigate!

@flavorjones
Copy link
Owner

Looks like we just need to include the extended colors in Loofah::HTML5::SafeList::ACCEPTABLE_CSS_KEYWORDS.

#! /usr/bin/env ruby

require "bundler/inline"

gemfile do
  source "https://rubygems.org"
  gem "loofah", "= 2.18.0"
end

Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
# => "<div>Test</div>"

Loofah::HTML5::SafeList::ACCEPTABLE_CSS_KEYWORDS.add("lightblue")

Loofah.fragment('<div style="background-color: lightblue;">Test</div>').scrub!(:strip).to_s
# => "<div style=\"background-color:lightblue;\">Test</div>"

So you have a workaround right now if you need it. I'll schedule some work to add those colors and make a new release.

flavorjones added a commit that referenced this issue Sep 13, 2022
@flavorjones
feat: support SVG 1.0 extended color keywords
4d517ac 
Closes #243
@flavorjones flavorjones mentioned this issue Sep 13, 2022
Merged
@flavorjones
Copy link
Owner

See #244

@rocketedaway
Copy link
Author

Thanks a bunch @flavorjones!! The quick turn around is SUPER appreciated!!!

@flavorjones
Copy link
Owner

v2.19.0 has been shipped! Happy hacking

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this issue Oct 12, 2022
@bmwiedemann
Update rubygem-loofah to version 2.19.0 / rev 24 via SR 1010074
88d193c 
https://build.opensuse.org/request/show/1010074
by user coolo + dimstar_suse
updated to version 2.19.0
 see installed CHANGELOG.md
  ## 2.19.0 / 2022-09-14

  ### Features

  * Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](flavorjones/loofah#243)]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support SVG 1.0 extended color keywords flavorjones/loofah
2 participants
@flavorjones @rocketedaway