font-family sanitization issue

[jurajvalkucak]

Hi,

looks like there's issue with CSS font-family sanitization, when the input is first sanitized it adds quotes to font-families. When the sanitized content is sanitized again it removes some font-families and leaving blanks separated with commas, causing CSS font-family to be invalid.

Input to sanitize:
<span style="font-family:WordVisi_MSFontService, Algerian, Algerian_EmbeddedFont, Algerian_MSFontService, sans-serif;">TEXT</span>

Sanitize input (adding quotes to font-families and lower case):
<span style="font-family:&#39;wordvisi_msfontservice&#39; , &#39;algerian&#39; , &#39;algerian_embeddedfont&#39; , &#39;algerian_msfontservice&#39; , sans-serif">TEXT</span>

Sanitize again (issue removing font-families and adding commas, causing invalid font-family tag):
<span style="font-family:, &#39;algerian&#39; , , , sans-serif">TEXT</span>

The issue is caused if policy is configured like below:
new HtmlPolicyBuilder().allowStyling(CssSchema.DEFAULT)

Thanks,
Juraj

[mikesamuel]

I don't think we guarantee that sanitization is idempotent, but this looks like a bug. The problem is probably somewhere in StylingPolicy and probably has to do with the underscores in the names that get removed.