fix(parseStyleAttribute): throw error used together with allowedStyles

apostrophecms · Dec 20, 2022 · 6351caa · 6351caa
1 parent d100dcc
commit 6351caa
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 15 deletions.
diff --git a/index.js b/index.js
@@ -437,21 +437,25 @@ function sanitizeHtml(html, options, _recursing) {
                 return;
               }
             }
-            if (a === 'style' && options.parseStyleAttributes) {
-              try {
-                const abstractSyntaxTree = postcssParse(name + ' {' + value + '}');
-                const filteredAST = filterCss(abstractSyntaxTree, options.allowedStyles);
+            if (a === 'style') {
+              if (options.parseStyleAttributes) {
+                try {
+                  const abstractSyntaxTree = postcssParse(name + ' {' + value + '}');
+                  const filteredAST = filterCss(abstractSyntaxTree, options.allowedStyles);
 
-                value = stringifyStyleAttributes(filteredAST);
+                  value = stringifyStyleAttributes(filteredAST);
 
-                if (value.length === 0) {
+                  if (value.length === 0) {
+                    delete frame.attribs[a];
+                    return;
+                  }
+                } catch (e) {
+                  console.warn('Failed to parse "' + name + ' {' + value + '}' + '", If you\'re running this in a browser, we recommend to disable style parsing: options.parseStyleAttributes: false, since this only works in a node environment due to a postcss dependency, More info: https://github.com/apostrophecms/sanitize-html/issues/547');
                   delete frame.attribs[a];
                   return;
                 }
-              } catch (e) {
-                console.warn('Failed to parse "' + name + ' {' + value + '}' + '", If you\'re running this in a browser, we recommend to disable style parsing: options.parseStyleAttributes: false, since this only works in a node environment due to a postcss dependency, More info: https://github.com/apostrophecms/sanitize-html/issues/547');
-                delete frame.attribs[a];
-                return;
+              } else if (options.allowedStyles) {
+                throw new Error('allowedStyles option cannot be used together with parseStyleAttributes: false.');
               }
             }
             result += ' ' + a;

diff --git a/test/test.js b/test/test.js
@@ -963,15 +963,27 @@ describe('sanitizeHtml', function() {
         allowedAttributes: {
           span: [ 'style' ]
         },
+        parseStyleAttributes: false
+      }), '<span style="color: blue; text-align: justify"></span>'
+    );
+  });
+  it('Should throw an error if both allowedStyles is set and  && parseStyleAttributes is set to false', function() {
+    try {
+      sanitizeHtml('<span style=\'color: blue; text-align: justify\'></span>', {
+        allowedTags: false,
+        allowedAttributes: {
+          span: ['style']
+        },
         allowedStyles: {
-          span: {
-            color: [ /blue/ ],
-            'text-align': [ /left/ ]
+          p: {
+            'text-align': [/^justify$/]
           }
         },
         parseStyleAttributes: false
-      }), '<span style="color: blue; text-align: justify"></span>'
-    );
+      });
+    } catch (err) {
+      assert.equal(err.message, 'allowedStyles option cannot be used together with parseStyleAttributes: false.');
+    }
   });
   it('Should support !important styles', function() {
     assert.equal(