notes: allow all elements to have style/title attributes.

app/logical/note_sanitizer.rb

@@ -1,17 +1,25 @@
 module NoteSanitizer
+  ALLOWED_ELEMENTS = %w(
+    code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em
+    strong small big b i font u s pre ruby rb rt rp
+  )
+
+  ALLOWED_ATTRIBUTES = {
+    :all => %w(style title),
+    "a" => %w(href),
+    "span" => %w(class),
+    "div" => %w(class align),
+    "p" => %w(class align),
+    "font" => %w(color size),
+  }
+
   def self.sanitize(text)
     text.gsub!(/<( |-|3|:|>|\Z)/, "&lt;\\1")
 
     Sanitize.clean(
       text,
-      :elements => %w(code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em strong small big b i font u s pre ruby rb rt rp),
+      :elements => ALLOWED_ELEMENTS,
-      :attributes => {
+      :attributes => ALLOWED_ATTRIBUTES,
-        "a" => %w(href title style),
-        "span" => %w(class style),
-        "div" => %w(class style align),
-        "p" => %w(class style align),
-        "font" => %w(color size style)
-      },
       :protocols => {
         "a" => {
           "href" => ["http", "https", :relative]

test/unit/note_sanitizer_test.rb

@@ -11,5 +11,10 @@ class NoteSanitizerTest < ActiveSupport::TestCase
       body = '<p style="background-image: url(http://www.google.com);">test</p>'
       assert_equal("<p>test</p>", NoteSanitizer.sanitize(body))
     end
+
+    should "allow style attributes on every tag" do
+      body = '<p style="font-size: 1em;">test</p>'
+      assert_equal('<p style="font-size: 1em;">test</p>', NoteSanitizer.sanitize(body))
+    end
   end
 end