Update normalize_style helper method with an allowlist

blocknotes · blocknotes · commit 0b729fb0b8a1 · 2021-09-13T08:33:31.000+02:00
diff --git a/lib/prawn_html/attributes.rb b/lib/prawn_html/attributes.rb
@@ -154,7 +154,7 @@ def apply_rule!(merged_styles:, rule:, value:, options:)
       return (@initial << rule) if value == 'initial'
 
       if rule[:set] == :append_styles
-        val = Utils.normalize_style(value)
+        val = Utils.normalize_style(value, rule[:values])
         (merged_styles[rule[:key]] ||= []) << val if val
       else
         opts = rule[:options] ? options[rule[:options]] : nil
diff --git a/lib/prawn_html/utils.rb b/lib/prawn_html/utils.rb
@@ -103,11 +103,13 @@ def copy_value(value, options: nil)
     # Normalize a style value
     #
     # @param value [String] string value
+    # @param accepted_values [Array] allowlist of valid values (symbols)
     #
     # @return [Symbol] style value or nil
-    def normalize_style(value)
+    def normalize_style(value, accepted_values)
       val = value&.strip&.downcase
-      NORMALIZE_STYLES[val]
+      ret = NORMALIZE_STYLES[val]
+      accepted_values.include?(ret) ? ret : nil
     end
 
     # Unquotes a string
diff --git a/spec/units/prawn_html/utils_spec.rb b/spec/units/prawn_html/utils_spec.rb
@@ -154,7 +154,9 @@
   end
 
   describe '.normalize_style' do
-    subject(:normalize_style) { described_class.normalize_style(value) }
+    subject(:normalize_style) { described_class.normalize_style(value, accepted_values) }
+
+    let(:accepted_values) { [:bold, :italic] }
 
     context 'with an invalid value (ex. "some_string")' do
       let(:value) { 'some_string' }
