Convert <style> blocks to inline before scrubbing the HTML

Scrubber drops <style> blocks by default, and it's risky to keep them considering they may affect other parts of RT pages. By converting them to inline styles in advance, they can apply to related HTML only, no more, no less.
bestpractical · Dec 24, 2024 · fdff41f · fdff41f
1 parent d18adc5
commit fdff41f
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/etc/cpanfile b/etc/cpanfile
@@ -13,6 +13,7 @@ requires 'Convert::Color';
 requires 'Crypt::Eksblowfish';
 requires 'CSS::Minifier::XS';
 requires 'CSS::Squish', '>= 0.06';
+requires 'CSS::Inliner', '>= 4018';
 requires 'Data::GUID';
 requires 'Data::ICal';
 requires 'Data::Page';

diff --git a/lib/RT/Interface/Web/Scrubber.pm b/lib/RT/Interface/Web/Scrubber.pm
@@ -247,6 +247,13 @@ sub scrub {
         warn "HTML::Gumbo pre-parse failed: $@" if $@;
     }
 
+    if ( $Content =~ /<style.*>/ ) {
+        require CSS::Inliner;
+        my $css_inliner = CSS::Inliner->new;
+        $css_inliner->read( { html => $Content } );
+        $Content = $css_inliner->inlinify();
+    }
+
     return $self->SUPER::scrub($Content);
 }
 

diff --git a/lib/RT/Transaction.pm b/lib/RT/Transaction.pm
@@ -379,6 +379,13 @@ sub Content {
             if ($args{Type} ne 'text/html') {
                 $content = RT::Interface::Email::ConvertHTMLToText($content);
             } else {
+                if ( $content =~ /<style.*>/ ) {
+                    require CSS::Inliner;
+                    my $css_inliner = CSS::Inliner->new;
+                    $css_inliner->read( { html => $content } );
+                    $content = $css_inliner->inlinify();
+                }
+
                 # Scrub out <html>, <head>, <meta>, and <body>, and
                 # leave all else untouched.
                 my $scrubber = HTML::Scrubber->new();