From 790b48a4ef1fb9fb3cdf60a130675d9346310bcd Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Mon, 25 Sep 2017 13:10:56 +0200
Subject: [PATCH] Properly restrict style-attribute usage

---
 .../node/HtmlInputNodeProcessor.class.php     | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
index f0c891eb9b..e36ddfb51b 100644
--- a/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeProcessor.class.php
@@ -37,6 +37,19 @@ class HtmlInputNodeProcessor extends AbstractHtmlNodeProcessor {
 		'td' => ['text-center', 'text-justify', 'text-right']
 	];
 	
+	/**
+	 * List of HTML elements that should allow for custom CSS using
+	 * the `style`-attribute.
+	 * 
+	 * Unfortunately, HTMLPurifier offers no *sane* way to limit this
+	 * attribute to some elements only.
+	 * 
+	 * @var string[]
+	 */
+	public static $allowedStyleElements = [
+		'span'
+	];
+	
 	/**
 	 * list of HTML elements that are treated as empty, that means
 	 * they don't generate any (indirect) output at all
@@ -221,6 +234,15 @@ class HtmlInputNodeProcessor extends AbstractHtmlNodeProcessor {
 			
 			$node = $node->nextSibling;
 		}
+		
+		// remove style attributes from non-whitelisted elements
+		$elements = $this->getDocument()->getElementsByTagName('*');
+		for ($i = 0, $length = $elements->length; $i < $length; $i++) {
+			$element = $elements->item($i);
+			if ($element->hasAttribute('style') && !in_array($element->nodeName, self::$allowedStyleElements)) {
+				$element->removeAttribute('style');
+			}
+		}
 	}
 	
 	/**
-- 
2.20.1