Permalink
Browse files

Fix HTML Sanitizer to allow trailing spaces in CSS style attributes. C…

…loses #10566 [wesley.moxam]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8485 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 38f8252 commit e781faddca7523c6b700d03887b6603488128ced @technoweenie technoweenie committed Dec 23, 2007
View
@@ -1,5 +1,7 @@
*SVN*
+* Fix HTML Sanitizer to allow trailing spaces in CSS style attributes. Closes #10566 [wesley.moxam]
+
* Add :default option to time_zone_select. #10590 [Matt Aimonetti]
@@ -107,7 +107,7 @@ def sanitize_css(style)
# gauntlet
if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$/
+ style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
return ''
end
@@ -170,4 +170,4 @@ def contains_bad_protocols?(attr_name, value)
(value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
end
end
-end
+end
@@ -203,6 +203,12 @@ def test_should_sanitize_illegal_style_properties
assert_equal expected, sanitize_css(raw)
end
+ def test_should_sanitize_with_trailing_space
+ raw = "display:block; "
+ expected = "display: block;"
+ assert_equal expected, sanitize_css(raw)
+ end
+
def test_should_sanitize_xul_style_attributes
raw = %(-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss'))
assert_equal '', sanitize_css(raw)
@@ -247,4 +253,4 @@ def assert_sanitized(input, expected = nil)
def sanitize_css(input)
(@sanitizer ||= HTML::WhiteListSanitizer.new).sanitize_css(input)
end
-end
+end

0 comments on commit e781fad

Please sign in to comment.