Add protocol allowlisting for -webkit-image-set CSS function

rgrove · Aug 13, 2024 · a5d93bb · a5d93bb
1 parent a98ac98
commit a5d93bb
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/lib/sanitize/css.rb b/lib/sanitize/css.rb
@@ -272,7 +272,7 @@ def property!(prop)
             return nil unless valid_url?(child)
           end
 
-          if name == 'image-set' || name == 'image'
+          if ['image-set', 'image', '-webkit-image-set'].include?(name)
             return nil unless valid_image?(child)
           end
 
@@ -353,7 +353,7 @@ def valid_url?(node)
   # using an allowlisted protocol.
   def valid_image?(node)
     return false unless node[:node] == :function
-    return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
+    return false unless node.key?(:name) && ['image', 'image-set', '-webkit-image-set'].include?(node[:name].downcase)
     return false unless Array === node[:value]
 
     node[:value].each do |token|

diff --git a/test/test_sanitize_css.rb b/test/test_sanitize_css.rb
@@ -32,6 +32,9 @@
           "background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
           "background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
           "background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
+          "background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
+          "background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
+          "background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
           "background: image('relative.jpg');",
           "background: image('https://example.com/https.jpg');",
           "background: image(rtl 'https://example.com/https.jpg');"