Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow safe inline CSS styles in Markdown #5012
This pull request makes it possible to add
The CSS properties and their values inside the
This update also allows for the embedding of encoded image data inside the
Most CSS properties and their values are supported. The missing (safe) ones will be added in the near future.
There's bound to be some errors in the (great number of) regular expressions used to sanitize the CSS values. Don't hesitate to open an issue and mention me if some CSS you think is valid is not working as expected.
Extracting the tags and attributes was pretty trivial. I'm still working on converting the CSS property value syntax into Regular Expressions, which is a lot less trivial :)
I'll make sure to share the code snippets that I used to help extract/transform the data when I'm done.
I've been working off of Google Caja to make sure css properties (or property values) that are deemed unsafe/disruptive will get filtered out by sanitize-html.
There's only a few of such properties/values, and since sanitize-html requires me to white-list everything that is allowed, I've been working on quite some regular expressions to do so.
I'm not even sure that the end result will be workable, performance wise. Some testing will need to be done.
I've added CSS value validation for most of the allowed CSS properties. I've removed some properties for now (e.g. animation properties) and simplified others, but I will probably add/extend those in the near future.
I was a bit worried about how the performance would be, but until now I don't see any ill effects.
I used the following script to extract information from Caja's Json definitions: https://gist.github.com/biermeester/9437f13d3735e65ba013c947ea59021f
A demo notebook can be found here: https://gist.github.com/biermeester/83802c33fb8483d25bcff6b59ce1353d
Next up is going to a be a test case extension, that will make sure that harmful CSS gets filtered out.