Allows custom styles in textile formatting using a white list of styles (#2416).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8860 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 15 insertions, 2 deletions

diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb
index d09804f41..e15970822 100644
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@@ -474,7 +474,10 @@ class RedCloth3 < String
             style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN
         end
 
-        style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles
+        if text.sub!( /\{([^"}]*)\}/, '' ) && !filter_styles
+          sanitized = sanitize_styles($1)
+          style << "#{ sanitized };" unless sanitized.blank?
+        end
 
         lang = $1 if
             text.sub!( /\[([^)]+?)\]/, '' )
@@ -502,6 +505,16 @@ class RedCloth3 < String
         atts
     end
 
+    STYLES_RE = /^(color|width|height|border|background|padding|margin|font|text)(-[a-z]+)*:\s*((\d+%?|\d+px|\d+(\.\d+)?em|#[0-9a-f]+|[a-z]+)\s*)+$/i
+
+    def sanitize_styles(str)
+      styles = str.split(";").map(&:strip)
+      styles.reject! do |style|
+        !style.match(STYLES_RE)
+      end
+      styles.join(";")
+    end
+
     TABLE_RE = /^(?:table(_?#{S}#{A}#{C})\. ?\n)?^(#{A}#{C}\.? ?\|.*?\|)(\n\n|\Z)/m
     
     # Parses a Textile table block, building HTML from the result.
diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb
index 22cd5cbf9..bbe47a15c 100644
--- a/lib/redmine/wiki_formatting/textile/formatter.rb
+++ b/lib/redmine/wiki_formatting/textile/formatter.rb
@@ -31,7 +31,7 @@ module Redmine
           super
           self.hard_breaks=true
           self.no_span_caps=true
-          self.filter_styles=true
+          self.filter_styles=false
         end
 
         def to_html(*rules)