Project

General

Profile

Download (2.94 KB)

Defect #37237 » 0001-allow-select-custom-CSS-properties.patch

Jens Krämer, 2022-09-26 12:33

View differences:

lib/redmine/wiki_formatting/common_mark/sanitization_filter.rb
27 27 
          "a" => %w(href).freeze,
28 28 
        }.freeze
29 29 

  		




  
  30
  
    
        ALLOWED_CSS_PROPERTIES = %w[

  		




  
  31
  
    
          color background-color

  		




  
  32
  
    
          width

  		




  
  33
  
    
          height

  		




  
  34
  
    
          padding padding-left padding-right padding-top padding-bottom

  		




  
  35
  
    
          margin margin-left margin-right margin-top margin-bottom

  		




  
  36
  
    
          border border-left border-right border-top border-bottom border-radius border-style border-collapse border-spacing

  		




  
  37
  
    
          font font-style font-variant font-weight font-stretch font-size line-height font-family

  		




  
  38
  
    
          text-align

  		




  
  39
  
    
          float

  		




  
  40
  
    
        ].freeze

  		




  
  41
  
    

  		




  30
  42
  
    
        def allowlist

  		




  31
  43
  
    
          @allowlist ||= customize_allowlist(super.deep_dup)

  		




  32
  44
  
    
        end

  		




  ......




  40
  52
  
    
          allowlist[:attributes][:all].delete("name")

  		




  41
  53
  
    
          allowlist[:attributes]["a"].push("name")

  		




  42
  54
  
    

  		




  
  55
  
    
          allowlist[:attributes][:all].push("style")

  		




  
  56
  
    
          allowlist[:css] = { properties: ALLOWED_CSS_PROPERTIES }

  		




  
  57
  
    

  		




  43
  58
  
    
          # allow class on code tags (this holds the language info from fenced

  		




  44
  59
  
    
          # code bocks and has the format language-foo)

  		




  45
  60
  
    
          allowlist[:attributes]["code"] = %w(class)

  		












  

    
      test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb
    
  





  93
  93
  
    
    # samples taken from the Sanitize test suite

  		




  94
  94
  
    
    # rubocop:disable Layout/LineLength

  		




  95
  95
  
    
    STRINGS = [

  		




  
  96
  
    
      [

  		




  
  97
  
    
        '<span style="color: #333; background: url(\'https://example.com/evil.svg\')">hello</span>"',

  		




  
  98
  
    
        '<span style="color: #333; ">hello</span>"'

  		




  
  99
  
    
      ],

  		




  96
  100
  
    
      [

  		




  97
  101
  
    
        '<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <style>.foo { color: #fff; }</style> <script>alert("hello world");</script>',

  		




  98
  102
  
    
        '<b>Lorem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet .foo { color: #fff; } '

  		















  (2-2/2)