[Caja] [google-caja] r5639 committed - add 'appearance' to the css whitelist...

[google-caja]

Revision: 5639
Author:   feli...@gmail.com
Date:     Tue Nov 26 22:27:53 2013 UTC
Log:      add 'appearance' to the css whitelist
https://codereview.appspot.com/32780043
People mostly want to say
  -moz-appearance: none;
  -webkit-appearance: none;
which prevents a form element from being rendered as a native control,
letting you restyle it the way you want.

I don't see any problem with allowing that.

I don't see any benefit to allowing other values for appearance.
Supporting them would be about 1.5k of text added to the js sanitizer.

I'd like to be able to say "accept any [-\w]+" but we don't have code
to support that yet.

R=kpreid2


http://code.google.com/p/google-caja/source/detail?r=5639

Modified:
 /trunk/src/com/google/caja/lang/css/css3-defs.json
 /trunk/src/com/google/caja/lang/css/css3-whitelist.json

=======================================
--- /trunk/src/com/google/caja/lang/css/css3-defs.json	Tue Sep  3 20:37:43  
2013 UTC
+++ /trunk/src/com/google/caja/lang/css/css3-defs.json	Tue Nov 26 22:27:53  
2013 UTC
@@ -88,6 +88,23 @@
       "source": 
"http://dev.w3.org/csswg/css-animations/#animation-timing-function";
     },

+    { "key": "appearance",
+      "signature": "none",
+      "initial": "none",
+      "appliesTo": "*",
+      "inherited": false,
+      "mediaGroups": ["visual"],
+      "source": 
"https://developer.mozilla.org/en-US/docs/Web/CSS/-moz-appearance";,
+      "comment": [
+        "This exists as -moz-appearance and -webkit-appearance.",
+        "It won't be standardized, and use is strongly discouraged.",
+        "There's a very large set of valid values: button, caret, etc.",
+        "But use in the wild is mostly just appearance:none.",
+        "So we're only allowing 'none' to keep the sanitizer small.",
+        "TODO(felix8a): css sanitizer needs a way to allow bare  
identifiers."
+      ]
+    },
+
     { "key": "azimuth",
       "signature": "<angle> | [[ left-side | far-left | left | center-left  
| center | center-right | right | far-right | right-side ] || behind ] |  
leftwards | rightwards",
       "default": "center",
=======================================
--- /trunk/src/com/google/caja/lang/css/css3-whitelist.json	Tue Sep  3  
20:37:43 2013 UTC
+++ /trunk/src/com/google/caja/lang/css/css3-whitelist.json	Tue Nov 26  
22:27:53 2013 UTC
@@ -15,6 +15,7 @@
     "animation-name",
     "animation-play-state",
     "animation-timing-function",
+    "appearance",
     "azimuth",
     "backface-visibility",
     "background",

--

--- 
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-caja-discuss+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.