css.rb in sanitize-6.1.3

- old
+ new

@@ -227,10 +227,16 @@
     end
 
     rule
   end
 
+  # Returns `true` if the given CSS function name is an image-related function
+  # that may contain image URLs that need to be validated.
+  def image_function?(name)
+    ['image', 'image-set', '-webkit-image-set'].include?(name)
+  end
+
   # Passes the URL value of an @import rule to a block to ensure
   # it's an allowed URL
   def import_url_allowed?(rule)
     return true unless @import_url_validator
 
@@ -270,11 +276,11 @@
 
           if name == 'url'
             return nil unless valid_url?(child)
           end
 
-          if name == 'image-set' || name == 'image'
+          if image_function?(name)
             return nil unless valid_image?(child)
           end
 
           combined_value << name
           return nil if name == 'expression' || combined_value == 'expression'
@@ -347,14 +353,14 @@
     end
 
     false
   end
 
-  # Returns `true` if the given node (which is an `image` or `image-set` function) contains only strings
-  # using an allowlisted protocol.
+  # Returns `true` if the given node is an image-related function and contains
+  # only strings that use an allowlisted protocol.
   def valid_image?(node)
     return false unless node[:node] == :function
-    return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
+    return false unless node.key?(:name) && image_function?(node[:name].downcase)
     return false unless Array === node[:value]
 
     node[:value].each do |token|
         return false unless Hash === token
 