Whitelist text-align property for th and td

e1a77fa7 · Douwe Maan · bc2cf82f · e1a77fa7 · e1a77fa7
Commit e1a77fa7 authored Jun 15, 2018 by Douwe Maan
Showing with 13 additions and 2 deletions

lib/banzai/filter/sanitization_filter.rb lib/banzai/filter/sanitization_filter.rb +2 -1

spec/lib/banzai/filter/sanitization_filter_spec.rb spec/lib/banzai/filter/sanitization_filter_spec.rb +11 -1

No files found.
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -25,10 +25,11 @@ module Banzai
        # Only push these customizations once
        return if customized?(whitelist[:transformers])

-        # Allow table alignment; we whitelist specific style properties in a
+        # Allow table alignment; we whitelist specific text-align values in a
        # transformer below
        whitelist[:attributes]['th'] = %w(style)
        whitelist[:attributes]['td'] = %w(style)
+        whitelist[:css] = { properties: ['text-align'] }

        # Allow span elements
        whitelist[:elements].push('span')

--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do
      expect(doc.at_css('td')['style']).to eq 'text-align: center'
    end

+    it 'disallows `text-align` property in `style` attribute on other elements' do
+      html = <<~HTML
+        <div style="text-align: center">Text</div>
+      HTML
+
+      doc = filter(html)
+
+      expect(doc.at_css('div')['style']).to be_nil
+    end
+
    it 'allows `span` elements' do
      exp = act = %q{<span>Hello</span>}
      expect(filter(act).to_html).to eq exp
@@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do

      'protocol-based JS injection: spaces and entities' => {
        input:  '<a href=" &#14;  javascript:alert(\'XSS\');">foo</a>',
-        output: '<a href="">foo</a>'
+        output: '<a href>foo</a>'
      },

      'protocol whitespace' => {