notes: make allowed css properties explicit.

app/logical/note_sanitizer.rb

@@ -13,6 +13,45 @@ module NoteSanitizer
     "font" => %w(color size),
   }
 
+  ALLOWED_PROPERTIES = %w(
+    background background-color
+    border border-color border-image border-radius border-style border-width
+    border-bottom border-bottom-color border-bottom-left-radius border-bottom-right-radius border-bottom-style border-bottom-width
+    border-left border-left-color border-left-style border-left-width
+    border-right border-right-color border-right-style border-right-width
+    border-top border-top-color border-top-left-radious border-top-right-radius border-top-style border-top-width
+    bottom left right top
+    box-shadow
+    clear
+    color
+    display
+    filter
+    float
+    font font-family font-size font-size-adjust font-style font-variant font-weight
+    height width
+    letter-spacing
+    line-height
+    list-style list-style-position list-style-type
+    margin margin-bottom margin-left margin-right margin-top
+    opacity
+    outline outline-color outline-offset outline-width outline-style
+    padding padding-bottom padding-left padding-right padding-top
+    perspective perspective-origin
+    position
+    text-align
+    text-decoration text-decoration-color text-decoration-line text-decoration-style
+    text-indent
+    text-shadow
+    text-transform
+    transform transform-origin
+    white-space
+    word-break
+    word-spacing
+    word-wrap overflow-wrap
+    writing-mode
+    vertical-align
+  )
+
   def self.sanitize(text)
     text.gsub!(/<( |-|3|:|>|\Z)/, "&lt;\\1")
 
@@ -25,9 +64,13 @@ module NoteSanitizer
           "href" => ["http", "https", :relative]
         }
       },
-      :css => Sanitize::Config::RELAXED[:css].merge({
+      :css => {
-        :protocols => []
+        allow_comments: false,
-      })
+        allow_hacks: false,
+        at_rules: [],
+        protocols: [],
+        properties: ALLOWED_PROPERTIES,
+      }
     )
   end
 end