#6233 Improve css validation#6234
Conversation
|
Hi @sosnovsky - This one is ready for a review. Thank you! |
This comment was marked as outdated.
This comment was marked as outdated.
|
Hi @sosnovsky - This one is ready for review. Thank you! |
| private static HREF_REGEX_CACHE: RegExp | undefined; | ||
| private static FORBID_CSS_STYLE = /z-index:[^;]+;|position:[^;]+;|background[^;]+;/g; | ||
| private static FORBID_CSS_STYLE = | ||
| /(?:^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:[^;]*;?/gi; |
There was a problem hiding this comment.
looks like this regex fully removes only first statement, and for next ones it removes just ;:
"position:absolute;z-index:999999;top:0;left:0;width:100%;height:100%;background:white".replace(/(?:^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:[^;]*;?/gi, ''); // returns "z-index:999999left:0height:100%;background:white"
fixed regex should look like /(^|;)\s*(?:z-index|position|display|visibility|opacity|transform|clip-path|clip|top|left|right|bottom|pointer-events|font-size|line-height|width|height|text-indent|filter)\s*:[^;]*(?=;|$)/gi
and let's also add test for such cases, to be sure that our implementation works correctly, thanks!
| const urlRegex = /url\(\s*(["']?)(.*?)\1\s*\)/gi; | ||
| let match; | ||
| // eslint-disable-next-line no-null/no-null | ||
| while ((match = urlRegex.exec(cleaned)) !== null) { | ||
| const fullMatch = match[0]; | ||
| const url = match[2]; | ||
| // Only allow data: and cid: schemes | ||
| const isSafe = /^(data:|cid:)/i.test(url); | ||
| if (!isSafe) { | ||
| // Remove the unsafe url(...) token completely | ||
| cleaned = cleaned.replace(fullMatch, ''); | ||
| } | ||
| } |
There was a problem hiding this comment.
let's replace this while loop with a simpler single replace statement:
cleaned = cleaned.replace(/url\(\s*(["']?)(.*?)\1\s*\)/gi, (fullMatch: string, _, url: string) => {
// Only allow data: and cid: schemes
const isSafe = /^(data:|cid:)/i.test(url);
return isSafe ? fullMatch : '';
});2 participants
This PR improves currently implemented css validation on rendered elements in
pgp_block.Closes #6233
Tests (delete all except exactly one):
To be filled by reviewers
I have reviewed that this PR... (tick whichever items you personally focused on during this review):