How to allow css like ::-webkit-scrollbar ?

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks

MIT License

1.55k stars 200 forks source link

How to allow css like ::-webkit-scrollbar ? #322

Closed sikkamukul closed 2 years ago

sikkamukul commented 2 years ago

Attaching the sample code :- ::-webkit-scrollbar-thumb { background: #888 } Is being removed on sanitization from style tag Kindly help to retain it after sanitization

mganss commented 2 years ago

Unfortunately, this currently doesn't work due to an issue within AngleSharp.Css. See https://github.com/AngleSharp/AngleSharp.Css/issues/98

Perhaps you can work around the issue by modifying your use case. Do you really want to allow users to input whole style sheets containing vendor specific selectors?

sikkamukul commented 2 years ago

Yes, this use case allows users to enter psuedo elements in css style. Any workaround you would suggest for the same?

mganss commented 2 years ago

No, can't think of a workaround 🤷🏻 Hopefully, this gets addressed by AngleSharp.Css soon.

pragatibaheti commented 2 years ago

Related doubt. Also, does it consider nested CSS classes (scss) in style tags while sanitization?

.some-class {
  &.another-class {}
}

mganss commented 2 years ago

@pragatibaheti No, this isn't even supported by any browser: https://caniuse.com/css-nesting

mganss commented 2 years ago

Fixed in 7.0.473 (through AngleSharp 0.16.3)