feat: support unquoted CSS background-urls, fixes #578, #580

a-h · Mar 3, 2024 · f3417e0 · f3417e0
1 parent 8d48984
commit f3417e0
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 8 deletions.
diff --git a/.version b/.version
@@ -1 +1 @@
-0.2.602
+0.2.603
diff --git a/safehtml/style.go b/safehtml/style.go
@@ -62,17 +62,35 @@ var cssPropertyNameToValueSanitizer = map[string]func(string) string{
 	"z-index":             sanitizeRegular,
 }
 
+var validURLPrefixes = []string{
+	`url("`,
+	`url('`,
+	`url(`,
+}
+
+var validURLSuffixes = []string{
+	`")`,
+	`')`,
+	`)`,
+}
+
 func sanitizeBackgroundImage(v string) string {
+	// Check for <> as per https://github.com/google/safehtml/blob/be23134998433fcf0135dda53593fc8f8bf4df7c/style.go#L87C2-L89C3
+	if strings.ContainsAny(v, "<>") {
+		return InnocuousPropertyValue
+	}
 	for _, u := range strings.Split(v, ",") {
 		u = strings.TrimSpace(u)
-		if !strings.HasPrefix(u, `url("`) {
-			return InnocuousPropertyValue
-		}
-		if !strings.HasSuffix(u, `")`) {
-			return InnocuousPropertyValue
+		var found bool
+		for i, prefix := range validURLPrefixes {
+			if strings.HasPrefix(u, prefix) && strings.HasSuffix(u, validURLSuffixes[i]) {
+				found = true
+				u = strings.TrimPrefix(u, validURLPrefixes[i])
+				u = strings.TrimSuffix(u, validURLSuffixes[i])
+				break
+			}
 		}
-		u := u[5 : len(u)-2]
-		if !urlIsSafe(u) {
+		if !found || !urlIsSafe(u) {
 			return InnocuousPropertyValue
 		}
 	}

diff --git a/safehtml/style_test.go b/safehtml/style_test.go
@@ -122,6 +122,13 @@ func TestSanitizeCSS(t *testing.T) {
 			inputValue:       `url(/img?name=O'Reilly Animal(1)<2>.png)`,
 			expectedValue:    InnocuousPropertyValue,
 		},
+		{
+			name:             "angle brackets in quoted property value",
+			inputProperty:    "background-image",
+			expectedProperty: "background-image",
+			inputValue:       `url("/img?name=O'Reilly Animal(1)<2>.png")`,
+			expectedValue:    InnocuousPropertyValue,
+		},
 		{
 			name:             "background",
 			inputProperty:    "background",
@@ -178,6 +185,13 @@ func TestSanitizeCSS(t *testing.T) {
 			inputValue:       `url("/img.png")`,
 			expectedValue:    `url("/img.png")`,
 		},
+		{
+			name:             "background-image safe URL - two slashes",
+			inputProperty:    "background-image",
+			expectedProperty: "background-image",
+			inputValue:       `url("//img.png")`,
+			expectedValue:    `url("//img.png")`,
+		},
 		{
 			name:             "background-image safe HTTP URL",
 			inputProperty:    "background-image",