security: disallow import statements in CSS

2023-02-25 15:21:49 -06:00 · 2023-02-25 15:21:49 -06:00 · 71406da834
commit 71406da834
parent 92bd7d50fa
1 changed files with 1 additions and 0 deletions
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@ -377,4 +377,5 @@ def validate_css(css:str) -> tuple[bool, str]:
 	practical concern) or causing styling issues with the rest of the page.
 	'''
 	if '</style' in css.lower(): return False, "Invalid CSS"
+	if '@import' in css.lower(): return False, "@import statements are not allowed"
 	return True, ""