Properly restrict style-attribute usage

diff --git a/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
index f0c891eb9b03c8b79f1bdbc0eb8de728c6cf9021..e36ddfb51b6196c59318385f4fc8398cde13e8b0 100644 (file)
--- a/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
@@ -37,6 +37,19 @@ class HtmlInputNodeProcessor extends AbstractHtmlNodeProcessor {
                'td' => ['text-center', 'text-justify', 'text-right']
        ];
        
+       /**
+        * List of HTML elements that should allow for custom CSS using
+        * the `style`-attribute.
+        * 
+        * Unfortunately, HTMLPurifier offers no *sane* way to limit this
+        * attribute to some elements only.
+        * 
+        * @var string[]
+        */
+       public static $allowedStyleElements = [
+               'span'
+       ];
+       
        /**
         * list of HTML elements that are treated as empty, that means
         * they don't generate any (indirect) output at all
@@ -221,6 +234,15 @@ class HtmlInputNodeProcessor extends AbstractHtmlNodeProcessor {
                        
                        $node = $node->nextSibling;
                }
+               
+               // remove style attributes from non-whitelisted elements
+               $elements = $this->getDocument()->getElementsByTagName('*');
+               for ($i = 0, $length = $elements->length; $i < $length; $i++) {
+                       $element = $elements->item($i);
+                       if ($element->hasAttribute('style') && !in_array($element->nodeName, self::$allowedStyleElements)) {
+                               $element->removeAttribute('style');
+                       }
+               }
        }
        
        /**