Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: should Loofah sanitize <style> tag contents #248

Open
flavorjones opened this issue Nov 21, 2022 · 2 comments
Open

RFC: should Loofah sanitize <style> tag contents #248

flavorjones opened this issue Nov 21, 2022 · 2 comments

Comments

@flavorjones
Copy link
Owner

I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently <style> tag contents are treated as CDATA but no particular sanitization is being done like we do for style attributes.

What do y'all think about adding some Crass-based parsing for <style> tags to ensure they're well-formed and sanitized similarly to style attributes?

We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in html/head. But I think this should be easy?

@John-Odom
Copy link

We would love this

@flavorjones
Copy link
Owner Author

@John-Odom Thanks for commenting! Can you tell me a little bit about your use case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants