Reviewers: MikeSamuel, kpreid2,
Description:
The css standards are generally written to omit "inherit" from
property specifications, but the standards also have a paragraph
near the beginning that says "inherit" is valid for all properties
despite being omitted from the property specifications.
Our css whitelisting inconsistently allows "inherit" for some
properties, not all.
This change makes "inherit" always an acceptable value.
There are a few quirks:
- The client-side css sanitizer is looser than the server-side one,
because the client-side sanitizer only checks tokens, not full
expressions. This applies to all types of css values, but for
"inherit" in particular, the client-side sanitizer accepts
p { color: inherit inherit; }
which the server-side sanitizer rejects.
- The server-side sanitizer had some tests that accepted things like
p { font: inherit "foo"; }
which is not actually legal; browsers reject that rule. I deleted
the tests.
- The rule for "content" explicitly disallowed "inherit", from a
concern that it could bring in values defined in a parent element.
This is unlikely to be a problem, because "content" is almost
always set on ::before and ::after pseudo-elements, which
cannot have children.
Please review this at https://codereview.appspot.com/13146044/
Affected files:
M src/com/google/caja/lang/css/CssSchema.java
M src/com/google/caja/lang/css/css3-defs.json
M src/com/google/caja/plugin/CssValidator.java
M src/com/google/caja/plugin/sanitizecss.js
M tests/com/google/caja/lang/css/CssPropertyPatternsTest.java
M tests/com/google/caja/lang/css/CssSchemaTest.java
M tests/com/google/caja/plugin/CssValidatorTest.java
M tests/com/google/caja/plugin/sanitizecss_test.js
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
