taketin · October 26, 2012 16:47
diff --git a/css_transformer.rb b/css_transformer.rb
 check_css = lambda { |env|
      node      = env[:node]
      node_name = env[:node_name]
      # Don't continue if this node is already whitelisted or is not an element.
      return if env[:is_whitelisted] || !node.element?
      parent = node.parent
      return unless node_name == 'style' || node['style']      
      if node_name == 'style'
        unless good_css? node.content
          node.unlink 
          return
        end
      else
        unless good_css? node['style']
          node.unlink
          return
        end  
      end
      {:whitelist_node => [node]}  
    }


 def good_css? text
    return false if text =~ /(\w\/\/)/    # a// comment immediately following a letter
    return false if text =~ /(\w\/\/*\*)/ # a/* comment immediately following a letter
    return false if text =~ /(\/\*\/)/            # /*/ --> hack attempt, IMO

    # Now, strip out any comments, and do some parsing.
    no_comments = text.gsub(/(\/\*.*?\*\/)/, "") # filter out any /* ... */
    no_comments.gsub!("\n", "")
    # No backslashes allowed
    evil = [
      /(\bdata:\b|eval|cookie|\bwindow\b|\bparent\b|\bthis\b)/i, # suspicious javascript-type words
      /behaviou?r|expression|moz-binding|@import|@charset|(java|vb)?script|[\<]|\\\w/i,
      /[\<>]/, # back slash, html tags,
      /[\x7f-\xff]/, # high bytes -- suspect
      /[\x00-\x08\x0B\x0C\x0E-\x1F]/, #low bytes -- suspect
      /&\#/, # bad charset
    ]

    # incompatible encoding regexp match (ASCII-8BIT regexp with UTF-8 string) Error Support.
    begin
      evil.each { |regex| return false if no_comments =~ regex }
    rescue
      return false
    end
    true
  end
	check_css = lambda { \|env\|
	node = env[:node]
	node_name = env[:node_name]
	# Don't continue if this node is already whitelisted or is not an element.
	return if env[:is_whitelisted] \|\| !node.element?
	parent = node.parent
	return unless node_name == 'style' \|\| node['style']
	if node_name == 'style'
	unless good_css? node.content
	node.unlink
	return
	end
	else
	unless good_css? node['style']
	node.unlink
	return
	end
	end
	{:whitelist_node => [node]}
	}


	def good_css? text
	return false if text =~ /(\w\/\/)/ # a// comment immediately following a letter
	return false if text =~ /(\w\/\/\)/ # a/* comment immediately following a letter
	return false if text =~ /(\/\\/)/ # // --> hack attempt, IMO

	# Now, strip out any comments, and do some parsing.
	no_comments = text.gsub(/(\/\.?\\/)/, "") # filter out any / ... */
	no_comments.gsub!("\n", "")
	# No backslashes allowed
	evil = [
	/(\bdata:\b\|eval\|cookie\|\bwindow\b\|\bparent\b\|\bthis\b)/i, # suspicious javascript-type words
	/behaviou?r\|expression\|moz-binding\|@import\|@charset\|(java\|vb)?script\|[\<]\|\\\w/i,
	/[\<>]/, # back slash, html tags,
	/[\x7f-\xff]/, # high bytes -- suspect
	/[\x00-\x08\x0B\x0C\x0E-\x1F]/, #low bytes -- suspect
	/&\#/, # bad charset
	]

	# incompatible encoding regexp match (ASCII-8BIT regexp with UTF-8 string) Error Support.
	begin
	evil.each { \|regex\| return false if no_comments =~ regex }
	rescue
	return false
	end
	true
	end