-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some new css attributes are not referenced in the list and end up being removed from the sanitized string. like align-items. #197
Comments
Hi @miguelperez yes, please submit a PR with any additional CSS properties that you think should be included. This list was snapshot in 2008 in commit c673657 taken from http://code.google.com/p/html5lib/ and we've been adding more properties as the spec has evolved and as people needed it. There is some half-finished work to port Loofah to use DOMPurify and its CSS properties safelist -- see #155. Rather than generating and keeping our own list, the end game is to use DOMPurify's list, because it's widely-used and well-maintained. Hope this helps! |
Flex properties like align-items are removed from the sanitized css.
loofah/lib/loofah/html5/safelist.rb
Line 550 in 3e28e62
Is there a particular reason security those are not included? or Should I add a PR with the missing attributes? @flavorjones
UPDATE:
for reference, this is a complete list of CSS Properties: https://developer.mozilla.org/en-US/docs/Web/CSS/Reference
The text was updated successfully, but these errors were encountered: