scrub_css drops allowed css functions from shorthand css properties #199
Comments
|
Hi, @Iwaide. Thanks for opening this issue, and sorry you're having problems. This looks like it's a bug whenever a CSS function ( Loofah::fragment(%Q[<h1 style="background-color: linear-gradient(transparent 50%, #ffff66 50%); ">here</h1>]).scrub!(:prune)
# => <h1 style="background-color: linear-gradient(transparent 50%, #ffff66 50%);">here</h1>as is Loofah::fragment(%Q[<h1 style="color: linear-gradient(transparent 50%, #ffff66 50%); ">here</h1>]).scrub!(:prune)
# => <h1 style="color: linear-gradient(transparent 50%, #ffff66 50%);">here</h1>Give me a few hours, I should be able to fix this quickly. In the meantime, you can work around it by using the full property name (e.g., |
|
@flavorjones, thanks for the quick reply. |
|
@Iwaide Loofah v2.9.0 has been released with this fix! Thanks again for reporting it, and thanks for using Loofah! |
Using CSS functions for the values of shorthand CSS properties will cause them to be removed, even if they are whitelisted, such as linear-gradient
I've figured out that I need to fix the following lines, but I don't know how to fix it.
loofah/lib/loofah/html5/scrub.rb
Lines 87 to 92 in 1499384
How can I avoid this?
Or could you please tell me how to fix it?
The text was updated successfully, but these errors were encountered: