Merge pull request #142 from eventfuel/added_list_type_style_to_css_props

Added list-style-type as a safe CSS property to whitelist

Author: flavorjones

lib/loofah/html5/whitelist.rb

@@ -125,8 +125,8 @@ module WhiteList
       border-bottom-color border-collapse border-color border-left-color
       border-right-color border-top-color clear color cursor direction
       display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height overflow
-      pause pause-after pause-before pitch pitch-range richness speak
+      font-variant font-weight height letter-spacing line-height list-style-type
+      overflow pause pause-after pause-before pitch pitch-range richness speak
       speak-header speak-numeral speak-punctuation speech-rate stress
       text-align text-decoration text-indent unicode-bidi vertical-align
       voice-family volume white-space width]

test/html5/test_sanitizer.rb

@@ -136,7 +136,7 @@ def test_should_allow_multi_word_data_attributes
       check_sanitization(input, output, output, output)
     end
   end
-  
+
   HTML5::WhiteList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
     define_method "test_should_allow_data_#{data_uri_type}_uris" do
       input = %(<a href="data:#{data_uri_type}">foo</a>)
@@ -291,6 +291,12 @@ def test_css_function_sanitization_leaves_whitelisted_functions_rgb
     assert_match %r/rgb\(255, 0, 0\)/, sane.inner_html
   end
 
+  def test_css_function_sanitization_leaves_whitelisted_list_style_type
+    html = "<ol style='list-style-type:lower-greek;'></ol>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/list-style-type:lower-greek/, sane.inner_html
+  end
+
   def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
     html = "<span style=\"width:attr(data-evil-attr)\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)