flavorjones / loofah

Ruby library for HTML/XML transformation and sanitization
MIT License
934 stars 137 forks source link

RFC: should Loofah sanitize `<style>` tag contents #248

Open flavorjones opened 1 year ago

flavorjones commented 1 year ago

I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently <style> tag contents are treated as CDATA but no particular sanitization is being done like we do for style attributes.

What do y'all think about adding some Crass-based parsing for <style> tags to ensure they're well-formed and sanitized similarly to style attributes?

We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in html/head. But I think this should be easy?

John-Odom commented 1 year ago

We would love this

flavorjones commented 1 year ago

@John-Odom Thanks for commenting! Can you tell me a little bit about your use case?