From 0ede069d2c793995dadcd432b5540c8f74599889 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 12 Feb 2012 14:00:43 +0000
Subject: Allows custom styles in textile formatting using a white list of
 styles (#2416).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8860 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 lib/redcloth3.rb | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'lib/redcloth3.rb')

diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb
index d09804f41..e15970822 100644
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@@ -474,7 +474,10 @@ class RedCloth3 < String
             style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN
         end
 
-        style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles
+        if text.sub!( /\{([^"}]*)\}/, '' ) && !filter_styles
+          sanitized = sanitize_styles($1)
+          style << "#{ sanitized };" unless sanitized.blank?
+        end
 
         lang = $1 if
             text.sub!( /\[([^)]+?)\]/, '' )
@@ -502,6 +505,16 @@ class RedCloth3 < String
         atts
     end
 
+    STYLES_RE = /^(color|width|height|border|background|padding|margin|font|text)(-[a-z]+)*:\s*((\d+%?|\d+px|\d+(\.\d+)?em|#[0-9a-f]+|[a-z]+)\s*)+$/i
+
+    def sanitize_styles(str)
+      styles = str.split(";").map(&:strip)
+      styles.reject! do |style|
+        !style.match(STYLES_RE)
+      end
+      styles.join(";")
+    end
+
     TABLE_RE = /^(?:table(_?#{S}#{A}#{C})\. ?\n)?^(#{A}#{C}\.? ?\|.*?\|)(\n\n|\Z)/m
     
     # Parses a Textile table block, building HTML from the result.
-- 
cgit v1.2.3