From d79e531665bc1513b9c2a1be6f7e9458eebb0278 Mon Sep 17 00:00:00 2001 From: miguel perez Date: Tue, 24 Nov 2020 12:47:45 -0500 Subject: [PATCH] add flex properties to safelist --- CHANGELOG.md | 4 ++ lib/loofah/html5/safelist.rb | 12 ++++++ test/html5/test_sanitizer.rb | 72 ++++++++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a5206e9c..402ac10e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +### Unreleased + +* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`m `justify-content`, `align-self`, `align-items`, and `align-content`. [[#190](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!) + ## 2.7.0 / 2020-08-26 ### Features diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb index f2e242af..96d5be19 100644 --- a/lib/loofah/html5/safelist.rb +++ b/lib/loofah/html5/safelist.rb @@ -549,6 +549,9 @@ module SafeList ACCEPTABLE_CSS_PROPERTIES = Set.new([ "azimuth", + "align-content", + "align-items", + "align-self", "background-color", "border-bottom-color", "border-collapse", @@ -562,6 +565,13 @@ module SafeList "direction", "display", "elevation", + "flex", + "flex-basis", + "flex-direction", + "flex-flow", + "flex-grow", + "flex-shrink", + "flex-wrap", "float", "font", "font-family", @@ -570,11 +580,13 @@ module SafeList "font-variant", "font-weight", "height", + "justify-content", "letter-spacing", "line-height", "list-style", "list-style-type", "max-width", + "order", "overflow", "page-break-after", "page-break-before", diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index 0a50f445..7feef5f7 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -398,6 +398,78 @@ def test_css_page_break_inside end + def test_css_align_content + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/align-content:flex-start/, sane.inner_html + end + + def test_css_align_items + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/align-items:stretch/, sane.inner_html + end + + def test_css_align_self + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/align-self:auto/, sane.inner_html + end + + def test_css_flex + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex:none/, sane.inner_html + end + + def test_css_flex_basis + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-basis:auto/, sane.inner_html + end + + def test_css_flex_direction + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-direction:row/, sane.inner_html + end + + def test_css_flex_flow + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-flow:column wrap/, sane.inner_html + end + + def test_css_flex_grow + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-grow:4/, sane.inner_html + end + + def test_css_flex_shrink + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-shrink:3/, sane.inner_html + end + + def test_css_flex_wrap + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/flex-wrap:wrap/, sane.inner_html + end + + def test_css_justify_content + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/justify-content:flex-start/, sane.inner_html + end + + def test_css_order + html = '
' + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/order:5/, sane.inner_html + end + def test_issue_90_slow_regex skip("timing tests are hard to make pass and have little regression-testing value")