Allow CSS properties: min-height, max-height

lazyatom · lazyatom · commit 6c70219a094b · 2024-10-24T16:48:36.000+01:00
diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
@@ -662,7 +662,9 @@ module SafeList
         "line-height",
         "list-style",
         "list-style-type",
+        "max-height",
         "max-width",
+        "min-height",
         "min-width",
         "order",
         "overflow",
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -493,13 +493,27 @@ def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
     assert_match(%r/<span><\/span>/, sane.inner_html)
   end
 
+  def test_css_max_height
+    html = '<div style="max-height: 100%;"></div>'
+    sane = Nokogiri::HTML(Loofah.scrub_html4_fragment(html, :escape).to_xml)
+
+    assert_match(/max-height/, sane.inner_html)
+  end
+
   def test_css_max_width
     html = '<div style="max-width: 100%;"></div>'
     sane = Nokogiri::HTML(Loofah.scrub_html4_fragment(html, :escape).to_xml)
 
     assert_match(/max-width/, sane.inner_html)
   end
 
+  def test_css_min_height
+    html = '<div style="min-height: 100%;"></div>'
+    sane = Nokogiri::HTML(Loofah.scrub_html4_fragment(html, :escape).to_xml)
+
+    assert_match(/min-height/, sane.inner_html)
+  end
+
   def test_css_min_width
     html = '<div style="min-width: 100%;"></div>'
     sane = Nokogiri::HTML(Loofah.scrub_html4_fragment(html, :escape).to_xml)
