From 5be3eee454f60d00791690e588489b1dd216068d Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 08:54:44 +0900 Subject: [PATCH 1/7] CSS sanitizer allows "ch" length unit ch The advance measure (width) of the glyph "0" of the element's font. https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index c014169c..1c5c8555 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index 21fbc9a6..4b4c022b 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -299,6 +299,12 @@ def test_css_rem_value assert_match %r/10rem/, sane.inner_html end + def test_css_ch_value + html = "
" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/60ch/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From 7c025e0eb45b846f7f673f61c275b53066f617ce Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 08:57:41 +0900 Subject: [PATCH 2/7] CSS sanitizer allows vw length unit vw https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 1c5c8555..5d8d73ed 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|vw|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index 4b4c022b..ad4c1dbe 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -305,6 +305,12 @@ def test_css_ch_value assert_match %r/60ch/, sane.inner_html end + def test_css_vw_value + html = "
" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/1vw/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From e3fd485a4d02afae00e4ffd86fee89b635530be0 Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 08:58:32 +0900 Subject: [PATCH 3/7] CSS sanitizer allows vh length unit vh https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 5d8d73ed..b47ae6c8 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|vw|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index ad4c1dbe..ef7a130f 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -311,6 +311,12 @@ def test_css_vw_value assert_match %r/1vw/, sane.inner_html end + def test_css_vh_value + html = "
" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/100vh/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From bd97be9a92b58a4eb37796a038cc9115c80b1c81 Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 09:02:50 +0900 Subject: [PATCH 4/7] CSS sanitizer allows Q length unit Q Quarter-millimeters 1Q = 1/40th of 1cm https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Absolute_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index b47ae6c8..d9f55707 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|vw|vh|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|Q|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index ef7a130f..60f04a4f 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -317,6 +317,12 @@ def test_css_vh_value assert_match %r/100vh/, sane.inner_html end + def test_css_Q_value + html = "
" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/10Q/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From 5fb5c40be7aeefe558d4f55df4a0448990ebfea1 Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 09:05:00 +0900 Subject: [PATCH 5/7] CSS sanitizer allows lh length unit lh Line height of the element. https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index d9f55707..5dbfb87e 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|mm|pc|pt|px|Q|vw|vh|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index 60f04a4f..8d6f97d6 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -323,6 +323,12 @@ def test_css_Q_value assert_match %r/10Q/, sane.inner_html end + def test_css_lh_value + html = "

" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/2lh/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From 24fcb1770694bebef86709b9cd6f8c8362cafbe5 Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 09:06:21 +0900 Subject: [PATCH 6/7] CSS sanitizer allows vmin length unit vmin 1% of the viewport's smaller dimension. https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 5dbfb87e..2f6b9a26 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vw|vh|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmin|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index 8d6f97d6..ff57495a 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -329,6 +329,12 @@ def test_css_lh_value assert_match %r/2lh/, sane.inner_html end + def test_css_vmin_value + html = "

" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/42vmin/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html) From bab56b571a94ccce331729f5c9723c6947ab9f27 Mon Sep 17 00:00:00 2001 From: Juanito Fatas Date: Tue, 26 Nov 2019 09:07:51 +0900 Subject: [PATCH 7/7] CSS sanitizer allows vmax length unit vmax 1% of the viewport's larger dimension. https://developer.mozilla.org/en-US/docs/Learn/CSS/Building_blocks/Values_and_units#Relative_length_units --- lib/loofah/html5/scrub.rb | 2 +- test/html5/test_sanitizer.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index 2f6b9a26..6375d15a 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -6,7 +6,7 @@ module Loofah module HTML5 # :nodoc: module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ - CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmin|vw|vh|%|,|\))?)\z/ + CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb index ff57495a..d9c88b09 100755 --- a/test/html5/test_sanitizer.rb +++ b/test/html5/test_sanitizer.rb @@ -335,6 +335,12 @@ def test_css_vmin_value assert_match %r/42vmin/, sane.inner_html end + def test_css_vmax_value + html = "
" + sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml) + assert_match %r/42vmax/, sane.inner_html + end + def test_css_function_sanitization_leaves_safelisted_functions_calc html = "" sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)