HTML scrubber removes shorthand CSS properties with float values that have >2 precision #149
Milestone
Comments
|
I've merged #149 and added some test coverage for it. Should be in v2.3.0 due out in a few days. |
|
v2.3.0 has been released. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current HTML sanitizer removes CSS shorthand properties with a float value that has more than 2 decimals of precision. From my testing, this only applies to the shorthand properties.
I wrote a ruby script that tests a couple of simple cases and illustrates the problem: https://gist.github.com/danfstucky/ea3115cf63e636bc4aa887d8b0c7fabd
Here is a screenshot of the output from running that script:
As you can see, loofah is removing the css shorthand properties that contain >2 decimals, but does not remove css properties with >2 decimals that are not shorthand (such as text-indent).
Neither loofah or html5lib's documentation indicate this would be the expected outcome.
Is this the expected behavior of loofah? If so, then why?
I also submitted a PR for the change if that helps speed up the process. #150
The text was updated successfully, but these errors were encountered: