Added option to allow custom CSS properties (variables).

[leniency]

I added an option to allow custom CSS properties (variables) without specifying all the potential options (ie, allow all --* css properties)

I ran into an issue where I wanted to accept CSS variables, but based on the execution order, it would leave the value part unsanitized. The SanitizeStyleDeclaration would reject the name immediately, and while it can be cancelled in the OnRemovingStyle event, that leaves the value part unevaluated.

With this update, evaluation of the property name can be customized by overriding the IsAllowedCssProperty method. The default handling checks the AllowedCssProperties, same as before. Then if the AllowCssCustomProperties flag is true, it will allow any property beginning with --. This method can be override if developers want to refine the prefix.

It allows css variables both in <style> tags (if allowed) as well as tag style attributes (<div style="--my-var:1px"></div>)

The flag can be set like this:

var sanitizer = new HtmlSanitizer { AllowCssCustomProperties = true };

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.69%. Comparing base (f71dbb5) to head (28c725c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #556      +/-   ##
==========================================
+ Coverage   94.63%   94.69%   +0.05%     
==========================================
  Files           6        6              
  Lines         839      848       +9     
  Branches       91       92       +1     
==========================================
+ Hits          794      803       +9     
  Misses         34       34              
  Partials       11       11              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mganss]

Thanks. Could you add this to HtmlSanitizerOptions, too?

[leniency]

Done - added AllowDataAttributes as well.