Defect #43688
open
some style attributes are removed from HTML tags in Markdown comments/wiki entries
0%
Description
I've discovered that only some CSS style attributes are allowed at least for div and span tags. For instance `direction: rtl;` or `display: inline-block;` are removed. If I insert a typo, the tag will still be removed. Hence, a whitelisting is applied.
Please can you add `display` and `direction` to this list?
MWE:
<table style="font-size: 9px; margin-left: auto; margin-right: auto; margin-left: auto; margin-right: auto;">
<thead>
<tr>
<th style="text-align:left;font-weight: bold;text-align: left;">Category</th>
<th style="text-align:right;font-weight: bold;text-align: left;">% removed</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left;">Surface</td>
<td style="text-align:right;width: 80px;">
<span style="display: inline-block; direction: rtl; border-radius: 4px; padding-right: 2px; background-color: lightgreen; width: 16.61%">1.86</span>
</td>
</tr>
<tr>
<td style="text-align:left;">Soil</td>
<td style="text-align:right;width: 80px;">
<span style="display: inline-block; direction: rtl; border-radius: 4px; padding-right: 2px; background-color: lightgreen; width: 100.00%">11.20</span>
</td>
</tr>
<tr>
</tbody>
</table>
Should render as:
but the green bar is rendered as:
Files
Updated by Mathias Walter 2 days ago
Looking at the source code via developers console, one can see that display: inline-block; direction: rtl; is removed.
Updated by Holger Just 2 days ago
- Category set to Text formatting
Redmine indeed applies a whitelist of known-safe CSS rules. The allowed CSS attributes are documented at https://your-redmine.example.com/help/wiki_syntax/detailed. The actual whitelist is implemented in source:tags/6.1.1/lib/redmine/wiki_formatting/common_mark/sanitization_filter.rb#L30
It may be possible to add additional attributes here. Loofah seems to allow the display and direction attributes.