-
-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: should Loofah sanitize <style>
tag contents
#248
Comments
We would love this |
@John-Odom Thanks for commenting! Can you tell me a little bit about your use case? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently
<style>
tag contents are treated as CDATA but no particular sanitization is being done like we do forstyle
attributes.What do y'all think about adding some Crass-based parsing for
<style>
tags to ensure they're well-formed and sanitized similarly tostyle
attributes?We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in
html/head
. But I think this should be easy?The text was updated successfully, but these errors were encountered: