CSS grids not supported

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

843 stars 213 forks source link

CSS grids not supported #234

Open CGjupoulton opened 3 years ago

CGjupoulton commented 3 years ago

Even with allowStyling(), this:

<div style="display: grid; grid-template-columns: repeat( auto-fit, minmax(160px, 1fr) );">

becomes

<div>

It seems that "display: grid" and all the other CSS grid properties are not part of the list of valid properties. How can I allow these?

mukuldhariwal94 commented 2 years ago

I think you need to do

.allowAttributes(
                "style", "class"
        ).globally()

if you want to allow the style tag globally in all html elements or

.allowAttributes(
                "style", "class"
        ).onElements("div");

if you want to allow the style tag in only the div elements

CGjupoulton commented 2 years ago

if you want to allow the style tag in only the div elements

That works for other CSS properties such as color, but not the newer grid properties.

mikesamuel commented 2 years ago

CssSchema is where support needs to go.

Do you have a list of the grid properties you need?

The sanitizer needs to preserve visual containment, so we need to be cautious about display properties, like negative left/right/top/bottom values and display:fixed that can be used to exempt an element from a clipping box introduced by a trusted element.

CGjupoulton commented 2 years ago

display: grid; and grid-template-columns: repeat( auto-fit, minmax(160px, 1fr) ); is the CSS I am trying to allow for my use case.

The grid-template-columns propery is quite complex, I'm unsure how to edit the CssSchema to allow it.

If possible, I would like to allow all the grid based properties, referenced here for potential future use.