diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 694b40c21e8..7292780b291 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -2578,8 +2578,24 @@ sub _NewScrubber {
face => 1,
size => 1,
target => 1,
- style => qr{^(?:(?:color:\s*rgb\(\d+,\s*\d+,\s*\d+\))|
- (?:text-align:\s*))}ix,
+ style => qr{
+ ^(?:\s*
+ (?:(?:background-)?color: \s*
+ (?:rgb\(\s* \d+, \s* \d+, \s* \d+ \s*\) | # rgb(d,d,d)
+ \#[a-f0-9]{3,6} | # #fff or #ffffff
+ [\w\-]+ # green, light-blue, etc.
+ ) |
+ text-align: \s* \w+ |
+ font-size: \s* [\w.\-]+ |
+ font-family: \s* [\w\s"',.\-]+ |
+ font-weight: \s* [\w\-]+ |
+
+ # MS Office styles, which are probably fine. If we don't, then any
+ # associated styles in the same attribute get stripped.
+ mso-[\w\-]+?: \s* [\w\s"',.\-]+
+ )\s* ;? \s*)
+ +$ # one or more of these allowed properties from here 'till sunset
+ }ix,
}
);
$scrubber->deny(qw[*]);
diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in
index 506ecd3dd66..3b3b1c77489 100755
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@ -279,6 +279,7 @@ Test::MockTime
Log::Dispatch::Perl
Test::WWW::Mechanize::PSGI
Plack::Middleware::Test::StashWarnings
+Test::LongString
.
$deps{'FASTCGI'} = [ text_to_hash( << '.') ];
diff --git a/t/web/scrub.t b/t/web/scrub.t
new file mode 100644
index 00000000000..6483a750019
--- /dev/null
+++ b/t/web/scrub.t
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+
+use RT::Test nodb => 1, tests => 6;
+use RT::Interface::Web; # This gets us HTML::Mason::Commands
+use Test::LongString;
+
+{
+ my $html = 'This is a test of color and font and boldness.';
+ is_string(scrub_html($html), $html, "CKEditor produced HTML sails through");
+}
+
+{
+ my $html = '
+ And alignment with color?
';
+ is_string(scrub_html($html), $html, "CKEditor produced HTML sails through");
+}
+
+{
+ my $html = 'This is a test of color and font and boldness.';
+ my $expected = 'This is a test of color and font and boldness.';
+ is_string(scrub_html($html), $expected, "nasty CSS not allowed through");
+}
+
+{
+ my $html = 'Let\'s add some color up in here.';
+ is_string(scrub_html($html), $html, "multiple props and color specs allowed");
+}
+
+{
+ my $html = q[oh hai I'm some text];
+ my $expected = q[oh hai I'm some text];
+ is_string(scrub_html($html), $expected, "font lists");
+}
+
+{
+ my $html = q[oh hai I'm some text];
+ my $expected = q[oh hai I'm some text];
+ is_string(scrub_html($html), $expected, "outlook html");
+}
+
+sub scrub_html {
+ return HTML::Mason::Commands::ScrubHTML(shift);
+}
+