Skip to content

Commit

Permalink
CSS sanitizer allows vmax length unit
Browse files Browse the repository at this point in the history
  • Loading branch information
JuanitoFatas committed Nov 26, 2019
1 parent 24fcb17 commit bab56b5
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/loofah/html5/scrub.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ module Loofah
module HTML5 # :nodoc:
module Scrub
CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmin|vw|vh|%|,|\))?)\z/
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }

class << self
Expand Down
6 changes: 6 additions & 0 deletions test/html5/test_sanitizer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,12 @@ def test_css_vmin_value
assert_match %r/42vmin/, sane.inner_html
end

def test_css_vmax_value
html = "<div style=\"width: 42vmax;\"></body>"
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
assert_match %r/42vmax/, sane.inner_html
end

def test_css_function_sanitization_leaves_safelisted_functions_calc
html = "<span style=\"width:calc(5%)\">"
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
Expand Down

0 comments on commit bab56b5

Please sign in to comment.