[FIX] sap/base/security/sanitizeHTML: Add support for modern CSS display values

d3xter666 · d3xter666 · commit bf24ca2fd9aa · 2025-12-01T08:42:48.000Z
Extended CSS display property allowlist to include modern layout values
(flex, inline-flex, grid, inline-grid, flow-root, contents) and global
CSS keywords (initial, revert, revert-layer, unset).

SNOW: DINC0606162
Change-Id: I749683913dae11fb0b68ae67a81d48c64572763f
CR-Id: 002075125800003918632025
diff --git a/src/sap.ui.core/src/sap/ui/core/.library b/src/sap.ui.core/src/sap/ui/core/.library
@@ -266,7 +266,7 @@
             <copyright>2009-2014 Stuart Knightley, David Duponchel, Franz Buchinger, António Afonso</copyright>
             <pattern>sap/ui/thirdparty/jszip.js</pattern>
         </lib>
-        <lib name="caja" displayName="Google-Caja JS HTML Sanitizer" npmName="n/a" version="Build 4884" hash="334c6e85c052f2d23405fb7ecec5de67" homepage="http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer" id="73554900106100001928">
+        <lib name="caja" displayName="Google-Caja JS HTML Sanitizer" npmName="n/a" version="Build 4884" hash="098bd372b10fd5938a88bdccd8dfbeab" homepage="http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer" id="73554900106100001928">
             <license url="http://www.apache.org/licenses/LICENSE-2.0" type="Apache-2.0" />
             <copyright>Google Inc.</copyright>
             <pattern>sap/ui/thirdparty/caja-html-sanitizer.js</pattern>
diff --git a/src/sap.ui.core/src/sap/ui/thirdparty/caja-html-sanitizer.js b/src/sap.ui.core/src/sap/ui/thirdparty/caja-html-sanitizer.js
@@ -118,7 +118,11 @@ var cssSchema = (function () {
         'inset' ], [ 'invert' ], [ 'justify' ], [ 'local' ], [ 'medium' ], [
         'mix' ], [ 'none' ], [ 'normal' ], [ 'once' ], [ 'repeat' ], [ 'scroll'
       ], [ 'separate' ], [ 'small-caps' ], [ 'spell-out' ], [ 'transparent' ],
-      [ 'visible' ] ];
+      [ 'visible' ],
+      // ##### BEGIN: MODIFIED BY SAP
+      [ 'flex', 'inline-flex', 'grid', 'inline-grid', 'flow-root', 'contents' ], [ 'initial', 'revert', 'revert-layer', 'unset' ]
+      // ##### END: MODIFIED BY SAP
+    ];
     return {
       '-moz-border-radius': {
         'cssExtra': c[ 0 ],
@@ -440,7 +444,9 @@ var cssSchema = (function () {
       },
       'display': {
         'cssPropBits': 32,
-        'cssLitGroup': [ L[ 2 ], L[ 47 ], L[ 54 ] ]
+        // ##### BEGIN: MODIFIED BY SAP
+        'cssLitGroup': [ L[ 2 ], L[ 47 ], L[ 54 ], L[ 64 ], L[ 65 ] ]
+        // ##### END: MODIFIED BY SAP
       },
       'elevation': {
         'cssPropBits': 5,
diff --git a/src/sap.ui.core/test/sap/ui/core/qunit/base/security/sanitizeHTML.qunit.js b/src/sap.ui.core/test/sap/ui/core/qunit/base/security/sanitizeHTML.qunit.js
@@ -104,6 +104,17 @@ sap.ui.define([
 			"a CSS Font Level 4 value (451) is not accepted");
 	});
 
+	QUnit.test("Validate CSS display value", function(assert) {
+		var input1 = '<div style="display: flex ; width: 100px ; background-color: aqua">HELLO</div>';
+		assert.equal(sanitizeHTML(input1), input1, "display:flex is preserved");
+
+		var input2 = '<div style="display: inline-flex ; width: 100px ; background-color: aqua">HELLO</div>';
+		assert.equal(sanitizeHTML(input2), input2, "display:inline-flex is preserved");
+
+		var input3 = '<div style="display: inline flow-root ; width: 100px ; background-color: aqua">HELLO</div>';
+		assert.equal(sanitizeHTML(input3), input3, "display:inline flow-root is preserved");
+	});
+
 	QUnit.module("Sanitizer Performance", {
 		before: function(assert) {
 			// add a custom assertion "lower than"
@@ -175,4 +186,4 @@ sap.ui.define([
 		});
 	});
 
-});
+});
