search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
843 stars 213 forks source link

hsl() is not a predefined default CSS function #212

Closed KirillMakrutin closed 3 years ago

KirillMakrutin commented 3 years ago

By default, rgb and rgba functions are allowed, but not hsl: input:

<div style="color: rgb(255, 0, 0)">rgb</div>
<div style="color: rgba(255, 0, 0, 1)">rgba</div>
<div style="color: hsl(0, 100%, 50%)">hsl</div>

output (using default CSS schema):

<div style="color:rgb( 255 , 0 , 0 )">rgb</div>
<div style="color:rgba( 255 , 0 , 0 , 1 )">rgba</div>
<div>hsl</div>

Can it be expected that hsl function will be preserved?

mikesamuel commented 3 years ago

Yes. We can support hsl.

hsla while we're at it:

https://www.w3.org/TR/css-color-3/#hsla-color