From bb2afc3e8b4e4a7faeb44344ebaead2617b727f1 Mon Sep 17 00:00:00 2001
From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 24 Mar 2021 20:55:30 +0000
Subject: [PATCH] Prevent addition of style attributes to all elements

---
 config/initializers/sanitize.rb |  1 +
 test/lib/rich_text_test.rb      | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/config/initializers/sanitize.rb b/config/initializers/sanitize.rb
index b98523805..d6bd6c3ee 100644
--- a/config/initializers/sanitize.rb
+++ b/config/initializers/sanitize.rb
@@ -5,6 +5,7 @@ Sanitize::Config::OSM = Sanitize::Config.merge(
   :remove_contents => %w[script style],
   :transformers => lambda do |env|
     env[:node].remove_class
+    env[:node].kwattr_remove("style", nil)
     env[:node].add_class("table table-sm w-auto") if env[:node_name] == "table"
   end
 )
diff --git a/test/lib/rich_text_test.rb b/test/lib/rich_text_test.rb
index 5b590bc3e..fc9355717 100644
--- a/test/lib/rich_text_test.rb
+++ b/test/lib/rich_text_test.rb
@@ -58,6 +58,12 @@ class RichTextTest < ActiveSupport::TestCase
       assert_select "p[class='btn btn-warning']", false
       assert_select "p", /^Click Me$/
     end
+
+    r = RichText.new("html", "<p style='color:red'>Danger</p>")
+    assert_html r do
+      assert_select "p[style='color:red']", false
+      assert_select "p", /^Danger$/
+    end
   end
 
   def test_html_to_text
@@ -163,11 +169,16 @@ class RichTextTest < ActiveSupport::TestCase
     end
 
     r = RichText.new("markdown", "Click Me\n{:.btn.btn-warning}")
-    # raise r.to_html
     assert_html r do
       assert_select "p[class='btn btn-warning']", false
       assert_select "p", /^Click Me$/
     end
+
+    r = RichText.new("markdown", "<p style='color:red'>Danger</p>")
+    assert_html r do
+      assert_select "p[style='color:red']", false
+      assert_select "p", /^Danger$/
+    end
   end
 
   def test_markdown_to_text
-- 
2.45.1