diff --git a/app/logical/note_sanitizer.rb b/app/logical/note_sanitizer.rb index 904a09c24..e786dc1f2 100644 --- a/app/logical/note_sanitizer.rb +++ b/app/logical/note_sanitizer.rb @@ -13,6 +13,45 @@ module NoteSanitizer "font" => %w(color size), } + ALLOWED_PROPERTIES = %w( + background background-color + border border-color border-image border-radius border-style border-width + border-bottom border-bottom-color border-bottom-left-radius border-bottom-right-radius border-bottom-style border-bottom-width + border-left border-left-color border-left-style border-left-width + border-right border-right-color border-right-style border-right-width + border-top border-top-color border-top-left-radious border-top-right-radius border-top-style border-top-width + bottom left right top + box-shadow + clear + color + display + filter + float + font font-family font-size font-size-adjust font-style font-variant font-weight + height width + letter-spacing + line-height + list-style list-style-position list-style-type + margin margin-bottom margin-left margin-right margin-top + opacity + outline outline-color outline-offset outline-width outline-style + padding padding-bottom padding-left padding-right padding-top + perspective perspective-origin + position + text-align + text-decoration text-decoration-color text-decoration-line text-decoration-style + text-indent + text-shadow + text-transform + transform transform-origin + white-space + word-break + word-spacing + word-wrap overflow-wrap + writing-mode + vertical-align + ) + def self.sanitize(text) text.gsub!(/<( |-|3|:|>|\Z)/, "<\\1") @@ -25,9 +64,13 @@ module NoteSanitizer "href" => ["http", "https", :relative] } }, - :css => Sanitize::Config::RELAXED[:css].merge({ - :protocols => [] - }) + :css => { + allow_comments: false, + allow_hacks: false, + at_rules: [], + protocols: [], + properties: ALLOWED_PROPERTIES, + } ) end end