diff --git a/compose/service/values/sanitizer.go b/compose/service/values/sanitizer.go
index e46496461d..495ebff317 100644
--- a/compose/service/values/sanitizer.go
+++ b/compose/service/values/sanitizer.go
@@ -2,6 +2,7 @@ package values
import (
"fmt"
+ "html"
"regexp"
"strconv"
"strings"
@@ -293,8 +294,14 @@ func sString(str string) string {
// match only colors for html editor elements on style attr
p.AllowAttrs("style").OnElements("span", "p")
p.AllowStyles("color").Matching(regexp.MustCompile("(?i)^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$")).Globally()
+ p.AllowStyles("background-color").Matching(regexp.MustCompile("(?i)^#([0-9a-f]{3,4}|[0-9a-f]{6}|[0-9a-f]{8})$")).Globally()
- return p.Sanitize(str)
+ sanitized := p.Sanitize(str)
+
+ // handle escaped strings and unescape them
+ // all the dangerous chars should have been stripped
+ // by now
+ return html.UnescapeString(sanitized)
}
// sanitize casts value to field kind format
diff --git a/compose/service/values/sanitizer_test.go b/compose/service/values/sanitizer_test.go
index 036e6a8bc6..c447b65874 100644
--- a/compose/service/values/sanitizer_test.go
+++ b/compose/service/values/sanitizer_test.go
@@ -187,7 +187,14 @@ func Test_sanitizer_Run(t *testing.T) {
kind: "String",
options: map[string]interface{}{},
input: `pt src="https://cortezaproject.org/script.js">`,
- output: "pt src="https://cortezaproject.org/script.js">",
+ output: `pt src="https://cortezaproject.org/script.js">`,
+ },
+ {
+ name: "string escaping; inline styles unchanged",
+ kind: "String",
+ options: map[string]interface{}{},
+ input: `nasty looking content`,
+ output: `nasty looking content`,
},
{
name: "string escaping; script with a",
@@ -299,7 +306,7 @@ func Test_sanitizer_Run(t *testing.T) {
kind: "String",
options: map[string]interface{}{},
input: `'';!--"=&{()}`,
- output: "'';!--"=&{()}",
+ output: `'';!--"=&{()}`,
},
{
name: "string escaping; xss element",
@@ -315,6 +322,13 @@ func Test_sanitizer_Run(t *testing.T) {
input: `cortezaserver123`,
output: "cortezaserver123",
},
+ {
+ name: "string escaping; preserve necessary chars",
+ kind: "String",
+ options: map[string]interface{}{},
+ input: `a < b ; "'"`,
+ output: `a < b ; "'"`,
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {