search

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks
MIT License
1.52k stars 198 forks source link

Some property values are removed when sanitized #329

Closed pragatibaheti closed 1 year ago

pragatibaheti commented 2 years ago

I have explored and have some open items that show wrong results (valid values are removed). Here is a short point-wise summary:

  1. background-image: conical-gradient(color,color,color) 
    <style>       
#grad 
{
background-image: conic-gradient(red, yellow, green);
}
</style>

sanitized to 

<style> #grad{} </style>

Reference: https://www.w3schools.com/css/css3_gradients_conic.asp

  1. transform: skew(20deg) 
    <style>       
#grad 
{
transform : skew(20deg);
}
</style>

    sanitized to 

    <style> #grad{} </style>

    Reference: https://www.w3schools.com/css/css3_2dtransforms.asp

Seems like a bug. Can you confirm?

mganss commented 2 years ago

I have opened an issue with AngleSharp.Css: https://github.com/AngleSharp/AngleSharp.Css/issues/101

skew works if you specify both axes, e.g. transform: skew(20deg, 15deg);

glen-84 commented 1 year ago

@mganss This can probably be closed now? (https://github.com/AngleSharp/AngleSharp.Css/releases/tag/v0.17.0)

mganss commented 1 year ago

Resolved in AngleSharp.Css 0.17.0 and thus HtmlSanitizer 8.0.638.