java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard

Published 20 hours ago verified publisher icon OWASP

CSS grids not supported

Open CGjupoulton opened this issue 4 years ago • 4 comments

Even with allowStyling(), this:

<div style="display: grid; grid-template-columns: repeat( auto-fit, minmax(160px, 1fr) );">

becomes

<div>

It seems that "display: grid" and all the other CSS grid properties are not part of the list of valid properties. How can I allow these?

CGjupoulton avatar Sep 01 '21 12:09 CGjupoulton

I think you need to do

.allowAttributes(
                "style", "class"
        ).globally()

if you want to allow the style tag globally in all html elements or

.allowAttributes(
                "style", "class"
        ).onElements("div");

if you want to allow the style tag in only the div elements

mukuldhariwal94 avatar Sep 30 '21 11:09 mukuldhariwal94

if you want to allow the style tag in only the div elements

That works for other CSS properties such as color, but not the newer grid properties.

CGjupoulton avatar Sep 30 '21 12:09 CGjupoulton

CssSchema is where support needs to go.

Do you have a list of the grid properties you need?

The sanitizer needs to preserve visual containment, so we need to be cautious about display properties, like negative left/right/top/bottom values and display:fixed that can be used to exempt an element from a clipping box introduced by a trusted element.

mikesamuel avatar Oct 18 '21 15:10 mikesamuel

display: grid; and grid-template-columns: repeat( auto-fit, minmax(160px, 1fr) ); is the CSS I am trying to allow for my use case.

The grid-template-columns propery is quite complex, I'm unsure how to edit the CssSchema to allow it.

If possible, I would like to allow all the grid based properties, referenced here for potential future use.

CGjupoulton avatar Oct 20 '21 10:10 CGjupoulton