I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently <style> tag contents are treated as CDATA but no particular sanitization is being done like we do for style attributes.
What do y'all think about adding some Crass-based parsing for <style> tags to ensure they're well-formed and sanitized similarly to style attributes?
We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in html/head. But I think this should be easy?
I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently
<style>
tag contents are treated as CDATA but no particular sanitization is being done like we do forstyle
attributes.What do y'all think about adding some Crass-based parsing for
<style>
tags to ensure they're well-formed and sanitized similarly tostyle
attributes?We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in
html/head
. But I think this should be easy?