From 3d4125f80a5fdcadbcddad9e53a88934ac12e0a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Gaya?= <sebastien.gaya@gmail.com>
Date: Mon, 13 Dec 2021 12:14:44 +0100
Subject: [PATCH] no <style> or style='' in wp sanitizer

---
 app/services/wordpress.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/services/wordpress.rb b/app/services/wordpress.rb
index c53639cd5..fbcc31da7 100644
--- a/app/services/wordpress.rb
+++ b/app/services/wordpress.rb
@@ -15,7 +15,7 @@ class Wordpress
     # iframe attributes from MDN : https://developer.mozilla.org/fr/docs/Web/HTML/Element/iframe
     fragment = Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::RELAXED,
       attributes: Sanitize::Config::RELAXED[:attributes].merge({
-        all: Sanitize::Config::RELAXED[:attributes][:all].dup.delete('class'),
+        all: Sanitize::Config::RELAXED[:attributes][:all].dup - ['class', 'style'],
         'a' => Sanitize::Config::RELAXED[:attributes]['a'].dup.delete('rel'),
         'iframe' => [
           'allow', 'allowfullscreen', 'allowpaymentrequest', 'csp', 'height', 'loading',
@@ -23,7 +23,7 @@ class Wordpress
           'frameborder', 'longdesc', 'marginheight', 'marginwidth', 'scrolling'
         ]
       }),
-      elements: Set.new(Sanitize::Config::RELAXED[:elements]).delete('div') + ['iframe'],
+      elements: Set.new(Sanitize::Config::RELAXED[:elements]) - ['div', 'style'] + ['iframe'],
       whitespace_elements: {
         'div' => { :before => "", :after => "" }
       }
-- 
GitLab