Disable CSS sanitization in djangocms-text-ckeditor

The library used by djangocms-text-ckeditor is html5lib. It's deprecated and outdated. This should be fine because: - We have a CSP in place - Our editors are trusted (is_staff) I know there are CSS shenanigans, but we need the flexibility of custom styles.
okfde · Oct 8, 2024 · 0e84fbe · 0e84fbe
1 parent 5462cd5
commit 0e84fbe
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/fragdenstaat_de/settings/base.py b/fragdenstaat_de/settings/base.py
@@ -302,6 +302,20 @@ def three_days_ago_but_not_sundays(date):
         "sandbox",
         "style",
     )
+
+    # WARNING: We are monkey patching to not sanitize CSS
+    # The used html5lib CSS Sanitizer is deprecated, outdated
+    def _monkey_patch_css_sanitizer():
+        # Do not sanitize CSS
+        def sanitize_css(self, style):
+            return style
+
+        from djangocms_text_ckeditor.sanitizer import TextSanitizer
+
+        TextSanitizer.sanitize_css = sanitize_css
+
+    _monkey_patch_css_sanitizer()
+
     TEXT_ADDITIONAL_PROTOCOLS = ("bank",)
 
     CKEDITOR_SETTINGS = {