Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: possible regression in CSS parsing of advanced expressions #657

Closed
eht16 opened this issue Apr 25, 2022 · 1 comment
Closed

bug: possible regression in CSS parsing of advanced expressions #657

eht16 opened this issue Apr 25, 2022 · 1 comment
Labels
untriaged Bug reports that haven't been triaged

Comments

@eht16
Copy link

eht16 commented Apr 25, 2022
edited

I noticed a difference when parsing and removing CSS styles between Bleach 4.x and 5.x.
This is probably related to #633 resp. #648.

Before, styles like list-style: url(https://www.example.com) seem to have been stripped even if list-style was in the styles list.
Recent Bleach versions (5.x) do keep this list-style style and this seems correct to me.

** python and bleach versions (please complete the following information):**

  • Python Version: 3.9
  • Bleach Version: 4.1 and 5.0

To Reproduce

Steps to reproduce the behavior:

import bleach

allowed_css_styles = ['width', 'list-style']
allowed_attributes = {'*': ['class', 'style', 'id']}
allowed_tags = ['div']

test_html_list_style = '<div style="list-style: url(https://www.example.com); width: 100%;"></div>'
test_html_width = '<div style="width: expression(test);"></div>'

try:
    # Bleach 5.x
    from bleach.css_sanitizer import CSSSanitizer

    css_sanitizer = CSSSanitizer(allowed_css_properties=allowed_css_styles)

    bleached_text = bleach.clean(test_html_list_style, tags=allowed_tags, attributes=allowed_attributes, css_sanitizer=css_sanitizer)
    print(bleached_text)  # gives: <div style="list-style: url(https://www.example.com); width: 100%;"></div>

    bleached_text = bleach.clean(test_html_width, tags=allowed_tags, attributes=allowed_attributes, css_sanitizer=css_sanitizer)
    print(bleached_text)  # gives: <div style="width: expression(test);"></div>

except ImportError:
    # Bleach 4.x
    bleached_text = bleach.clean(test_html_list_style, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_css_styles)
    print(bleached_text)  # gives: <div style="width: 100%;"></div>

    bleached_text = bleach.clean(test_html_width, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_css_styles)
    print(bleached_text)  # gives: <div style=""></div>

Expected behavior

I think the current behavior is correct but I just want to get sure and that I'm not misunderstanding or misusing the new CSS sanitizer.

So, is the previous behavior more or less a bug in the old CSS sanitizer and has been fixed implicitly by the new one?
@eht16 eht16 added the untriaged Bug reports that haven't been triaged label Apr 25, 2022
@g-k
Copy link
Collaborator

g-k commented Apr 30, 2022

So, is the previous behavior more or less a bug in the old CSS sanitizer and has been fixed implicitly by the new one?

Yep! The bug was #529.

@g-k g-k closed this as completed Apr 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
untriaged Bug reports that haven't been triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@g-k @eht16