search

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks
MIT License
1.51k stars 198 forks source link

Properties in @font-face declaration are removed (font-display, mso-generic-font-family, mso-font-alt) #541

Open maryia-kabash opened 2 months ago

maryia-kabash commented 2 months ago

Hello, I have a question on how to allow specific properties for @​font-face declaration (font-face is added to AllowedAtRules).

font-display, mso-generic-font-family, mso-font-alt are removed (adding them to AllowedCssProperties does not help because they are descriptors, not exactly CSS properties).

Maybe I am missing something with Sanitizer set up? Thanks!

Example input:

@​font-face {
    font-family: "FontName";
    src: url("https://path-to-file.woff") format("woff");
    font-display: swap;
    mso-generic-font-family: swiss;
    mso-font-alt: 'Calibri';
}

Output:

@​font-face {
    font-family: "FontName";
    src: url("https://path-to-file.woff") format("woff");
}
maryia-kabash commented 2 months ago

I believe the root cause is inside AngleSharp as it does not have these declarations listed here: https://github.com/AngleSharp/AngleSharp.Css/blob/devel/src/AngleSharp.Css/Dom/ICssFontFaceRule.cs