From a5d93bb6f51b7f2861695bbf15aabb86b20f7ff7 Mon Sep 17 00:00:00 2001
From: Lawson Jaglom-Kurtz <lawson.jaglomkurtz@shopify.com>
Date: Tue, 13 Aug 2024 16:01:40 -0600
Subject: [PATCH] Add protocol allowlisting for -webkit-image-set CSS function

---
 lib/sanitize/css.rb       | 4 ++--
 test/test_sanitize_css.rb | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/sanitize/css.rb b/lib/sanitize/css.rb
index 2741e76..9394b87 100644
--- a/lib/sanitize/css.rb
+++ b/lib/sanitize/css.rb
@@ -272,7 +272,7 @@ def property!(prop)
             return nil unless valid_url?(child)
           end
 
-          if name == 'image-set' || name == 'image'
+          if ['image-set', 'image', '-webkit-image-set'].include?(name)
             return nil unless valid_image?(child)
           end
 
@@ -353,7 +353,7 @@ def valid_url?(node)
   # using an allowlisted protocol.
   def valid_image?(node)
     return false unless node[:node] == :function
-    return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
+    return false unless node.key?(:name) && ['image', 'image-set', '-webkit-image-set'].include?(node[:name].downcase)
     return false unless Array === node[:value]
 
     node[:value].each do |token|
diff --git a/test/test_sanitize_css.rb b/test/test_sanitize_css.rb
index 46df688..5002902 100644
--- a/test/test_sanitize_css.rb
+++ b/test/test_sanitize_css.rb
@@ -32,6 +32,9 @@
           "background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
           "background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
           "background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
+          "background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
+          "background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
+          "background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
           "background: image('relative.jpg');",
           "background: image('https://example.com/https.jpg');",
           "background: image(rtl 'https://example.com/https.jpg');"