lib/sanitize/css.rb in sanitize-4.0.1 vs lib/sanitize/css.rb in sanitize-4.1.0

@@ -78,10 +78,11 @@
     @config = Config.merge(Config::DEFAULT[:css], config[:css] || config)
 
     @at_rules                 = Set.new(@config[:at_rules])
     @at_rules_with_properties = Set.new(@config[:at_rules_with_properties])
     @at_rules_with_styles     = Set.new(@config[:at_rules_with_styles])
+    @import_url_validator     = @config[:import_url_validator]
   end
 
   # Sanitizes inline CSS style properties.
   #
   # This is most useful for sanitizing non-stylesheet fragments of CSS like you
@@ -217,15 +218,29 @@
         :preserve_hacks    => @config[:allow_hacks])
 
       rule[:block] = tree!(props)
 
     elsif @at_rules.include?(name)
+      return nil if name == "import" && !import_url_allowed?(rule)
       return nil if rule.has_key?(:block)
     else
       return nil
     end
 
     rule
+  end
+
+  # Passes the URL value of an @import rule to a block to ensure
+  # it's an allowed URL
+  def import_url_allowed?(rule)
+    return true unless @import_url_validator
+
+    url_token = rule[:tokens].detect { |t| t[:node] == :url || t[:node] == :string }
+
+    # don't allow @imports with no URL value
+    return false unless url_token && (import_url = url_token[:value])
+
+    @import_url_validator.call(import_url)
   end
 
   # Sanitizes a CSS property node. Returns the sanitized node, or `nil` if the
   # current config doesn't allow this property.
   def property!(prop)