Whitelist text-align property for th and td

2018-06-15 14:05:26 +02:00 · 2018-06-15 14:05:26 +02:00 · e1a77fa757
parent bc2cf82f68
commit e1a77fa757
2 changed files with 13 additions and 2 deletions
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@ -25,10 +25,11 @@ module Banzai
        # Only push these customizations once
        return if customized?(whitelist[:transformers])

-        # Allow table alignment; we whitelist specific style properties in a
+        # Allow table alignment; we whitelist specific text-align values in a
        # transformer below
        whitelist[:attributes]['th'] = %w(style)
        whitelist[:attributes]['td'] = %w(style)
+        whitelist[:css] = { properties: ['text-align'] }

        # Allow span elements
        whitelist[:elements].push('span')
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do
      expect(doc.at_css('td')['style']).to eq 'text-align: center'
    end

+    it 'disallows `text-align` property in `style` attribute on other elements' do
+      html = <<~HTML
+        <div style="text-align: center">Text</div>
+      HTML
+
+      doc = filter(html)
+
+      expect(doc.at_css('div')['style']).to be_nil
+    end
+
    it 'allows `span` elements' do
      exp = act = %q{<span>Hello</span>}
      expect(filter(act).to_html).to eq exp
@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do

      'protocol-based JS injection: spaces and entities' => {
        input:  '<a href=" &#14;  javascript:alert(\'XSS\');">foo</a>',
-        output: '<a href="">foo</a>'
+        output: '<a href>foo</a>'
      },

      'protocol whitespace' => {