css attribute white-space is being removed by default

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks

MIT License

1.51k stars 198 forks source link

css attribute white-space is being removed by default #547

Closed 0xor1 closed 1 month ago

0xor1 commented 1 month ago

using System;
using Ganss.Xss;

var sut = new HtmlSanitizer();
var res = sut.Sanitize("<div style=\"white-space:wrap\"><p style=\"white-space:wrap\">yolo</p></div>");
Console.WriteLine(res);

Output:

<div><p>yolo</p></div>

using pkg version 8.0.865 the docs say it should allow CSS property white-space by default, but it gets stripped out.

mganss commented 1 month ago

wrap is not a legal value for white-space.