fixed inline style default whitelist

bgalek · Nov 20, 2020 · dfd6f6e · dfd6f6e
1 parent e27b4d3
commit dfd6f6e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java b/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java
@@ -50,7 +50,7 @@ private static Set<String> getOffendingElements(String xml) {
         if (JAVASCRIPT_PROTOCOL_IN_CSS_URL.matcher(xml).find()) return Collections.singleton("style");
         PolicyFactory policy = new HtmlPolicyBuilder()
                 .allowElements(SVG_ELEMENTS)
-                .allowStyling(CssSchema.withProperties(SVG_SPECIFIC_STYLES))
+                .allowStyling(CssSchema.union(CssSchema.DEFAULT, CssSchema.withProperties(SVG_SPECIFIC_STYLES)))
                 .allowAttributes(SVG_ATTRIBUTES).globally()
                 .allowUrlProtocols("https")
                 .toFactory();