[Caja] [google-caja] r5598 committed - add some missing css pseudo-classes...

google-caja Wed, 18 Sep 2013 13:42:22 -0700

Revision: 5598
Author:   [email protected]
Date:     Wed Sep 18 20:40:53 2013 UTC
Log:      add some missing css pseudo-classes
https://codereview.appspot.com/13683045


css added a lot of harmless pseudo-classes that we don't currently
whitelist. This CL adds most of them.

R=kpreid2


http://code.google.com/p/google-caja/source/detail?r=5598

Modified:
 /trunk/src/com/google/caja/plugin/CssRewriter.java
 /trunk/src/com/google/caja/plugin/sanitizecss.js

=======================================

--- /trunk/src/com/google/caja/plugin/CssRewriter.java Mon Jul 15 21:11:532013 UTC+++ /trunk/src/com/google/caja/plugin/CssRewriter.java Wed Sep 18 20:40:532013 UTC

@@ -599,10 +599,65 @@
     });
   }

- private static final TypesafeSet<Name> ALLOWED_PSEUDO_CLASSES=TypesafeSet.of(

-      Name.css("active"), Name.css("after"), Name.css("before"),
-      Name.css("first-child"), Name.css("first-letter"), Name.css("focus"),
-      Name.css("link"), Name.css("hover"));
+  // Note, duplicated in sanitizecss.js
+  // This list is constructed from
+  //    https://developer.mozilla.org/en-US/docs/Web/CSS/Reference
+  //    https://developer.mozilla.org/en-US/docs/Web/CSS/Pseudo-classes
+  //    http://dev.w3.org/csswg/selectors4/
+  private static final TypesafeSet<Name> ALLOWED_PSEUDO_CLASSES =
+      TypesafeSet.of(
+        Name.css("active"),
+        Name.css("after"),
+        Name.css("before"),
+        Name.css("blank"),
+        Name.css("checked"),
+        Name.css("default"),
+        // Name.css("dir()"),   // TODO(felix8a)
+        Name.css("disabled"),
+        Name.css("drop"),
+        // Name.css("drop()"),  // TODO(felix8a)
+        Name.css("empty"),
+        Name.css("enabled"),
+        Name.css("first"),
+        Name.css("first-child"),
+        Name.css("first-letter"),
+        Name.css("first-line"),
+        Name.css("first-of-type"),
+        Name.css("fullscreen"),
+        Name.css("focus"),
+        Name.css("hover"),
+        Name.css("in-range"),
+        Name.css("indeterminate"),
+        Name.css("invalid"),
+        Name.css("last-child"),
+        Name.css("last-of-type"),
+        Name.css("left"),
+        // Name.css("lang()"),  // TODO(felix8a)
+        Name.css("link"),
+        // Name.css("nth-child()"),         // TODO(felix8a)
+        // Name.css("nth-column()"),        // TODO(felix8a)
+        // Name.css("nth-last-child()"),    // TODO(felix8a)
+        // Name.css("nth-last-column()"),   // TODO(felix8a)
+        // Name.css("nth-last-match()"),    // TODO(felix8a)
+        // Name.css("nth-last-of-type()"),  // TODO(felix8a)
+        // Name.css("nth-match()"),         // TODO(felix8a)
+        // Name.css("nth-of-type()"),       // TODO(felix8a)
+        Name.css("only-child"),
+        Name.css("only-of-type"),
+        Name.css("optional"),
+        Name.css("out-of-range"),
+        Name.css("placeholder-shown"),
+        Name.css("read-only"),
+        Name.css("read-write"),
+        Name.css("required"),
+        Name.css("right"),
+        Name.css("root"),
+        Name.css("scope"),
+        // Name.css("target"),      // disallowed
+        Name.css("user-error"),
+        Name.css("valid")
+        // Name.css("visited"),     // disallowed
+      );
   private void removeUnsafeConstructs(AncestorChain<? extends CssTree> t) {

     // 1) Check that all classes, ids, property names, etc. are valid
=======================================

--- /trunk/src/com/google/caja/plugin/sanitizecss.js Wed Aug 28 18:22:022013 UTC+++ /trunk/src/com/google/caja/plugin/sanitizecss.js Wed Sep 18 20:40:532013 UTC

@@ -363,11 +363,24 @@
     };
   })();

+  // Note, duplicated in CssRewriter.java
+  // Constructed from
+  //    https://developer.mozilla.org/en-US/docs/Web/CSS/Reference
+  //    https://developer.mozilla.org/en-US/docs/Web/CSS/Pseudo-classes
+  //    http://dev.w3.org/csswg/selectors4/
   var HISTORY_NON_SENSITIVE_PSEUDO_SELECTOR_WHITELIST =
-    /^(active|after|before|first-child|first-letter|focus|hover)$/;
+    new RegExp(
+        '^(active|after|before|blank|checked|default|disabled'
+        + '|drop|empty|enabled|first|first-child|first-letter'
+        + '|first-line|first-of-type|fullscreen|focus|hover'
+        + '|in-range|indeterminate|invalid|last-child|last-of-type'
+        + '|left|link|only-child|only-of-type|optional|out-of-range'
+        + '|placeholder-shown|read-only|read-write|required|right'
+        + '|root|scope|user-error|valid'
+        + ')$');

-  // TODO: This should be removed now as modern browsers no longer require
-  // this special handling
+  // TODO(felix8a): This might be removable since modern browsers
+  // already prevent history sniffing
   var HISTORY_SENSITIVE_PSEUDO_SELECTOR_WHITELIST = /^(link|visited)$/;

   // Set of punctuation tokens that are child/sibling selectors.

--

---You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[Caja] [google-caja] r5598 committed - add some missing css pseudo-classes...

Reply via email to