Some new css attributes are not referenced in the list and end up being removed from the sanitized string. like align-items. #197
Comments
|
Hi @miguelperez yes, please submit a PR with any additional CSS properties that you think should be included. This list was snapshot in 2008 in commit c673657 taken from http://code.google.com/p/html5lib/ and we've been adding more properties as the spec has evolved and as people needed it. There is some half-finished work to port Loofah to use DOMPurify and its CSS properties safelist -- see #155. Rather than generating and keeping our own list, the end game is to use DOMPurify's list, because it's widely-used and well-maintained. Hope this helps! |
This was referenced Mar 11, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Flex properties like align-items are removed from the sanitized css.
loofah/lib/loofah/html5/safelist.rb
Line 550 in 3e28e62
Is there a particular reason security those are not included? or Should I add a PR with the missing attributes? @flavorjones
UPDATE:
for reference, this is a complete list of CSS Properties: https://developer.mozilla.org/en-US/docs/Web/CSS/Reference
The text was updated successfully, but these errors were encountered: