From 0e84fbed906b9215ad05d869b78d675320c3d02e Mon Sep 17 00:00:00 2001
From: Stefan Wehrmeyer <mail@stefanwehrmeyer.com>
Date: Tue, 8 Oct 2024 11:33:05 +0200
Subject: [PATCH] Disable CSS sanitization in djangocms-text-ckeditor

The library used by djangocms-text-ckeditor is html5lib. It's deprecated and outdated.
This should be fine because:
- We have a CSP in place
- Our editors are trusted (is_staff)

I know there are CSS shenanigans, but we need the flexibility of custom styles.
---
 fragdenstaat_de/settings/base.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fragdenstaat_de/settings/base.py b/fragdenstaat_de/settings/base.py
index 8bf1fba10..b95aebc11 100644
--- a/fragdenstaat_de/settings/base.py
+++ b/fragdenstaat_de/settings/base.py
@@ -302,6 +302,20 @@ def three_days_ago_but_not_sundays(date):
         "sandbox",
         "style",
     )
+
+    # WARNING: We are monkey patching to not sanitize CSS
+    # The used html5lib CSS Sanitizer is deprecated, outdated
+    def _monkey_patch_css_sanitizer():
+        # Do not sanitize CSS
+        def sanitize_css(self, style):
+            return style
+
+        from djangocms_text_ckeditor.sanitizer import TextSanitizer
+
+        TextSanitizer.sanitize_css = sanitize_css
+
+    _monkey_patch_css_sanitizer()
+
     TEXT_ADDITIONAL_PROTOCOLS = ("bank",)
 
     CKEDITOR_SETTINGS = {