Add <style> support to allowStyles API

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.04k stars 178 forks source link

Add <style> support to allowStyles API #98

Open emersion opened 4 years ago

emersion commented 4 years ago

douceur already supports parsing full CSS stylesheets. Would you accept a patch sanitizing <style> elements content in addition to style attributes?

buro9 commented 4 years ago

Yes.

So long as there were a policy construction interface along the lines of the HTML sanitization policy builder, I'd definitely accept a PR that did this.

emersion commented 4 years ago

We already sanitize style attributes. The same should be applied to declarations in <style> elements.

emersion commented 4 years ago

What you're talking about is already done: https://github.com/microcosm-cc/bluemonday/blob/0a75d7616912ab9beb9cc6f7283ec1917c61b135/sanitize.go#L670

Simerax commented 7 months ago

Any Update on this?