From 71406da83405910a0b00ebea85cacdc3acfb2dc7 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Sat, 25 Feb 2023 15:21:49 -0600
Subject: [PATCH] security: disallow import statements in CSS

---
 files/helpers/sanitize.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 8b6035a9f..5e665726c 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -377,4 +377,5 @@ def validate_css(css:str) -> tuple[bool, str]:
 	practical concern) or causing styling issues with the rest of the page.
 	'''
 	if '</style' in css.lower(): return False, "Invalid CSS"
+	if '@import' in css.lower(): return False, "@import statements are not allowed"
 	return True, ""