Relaxed validation for width and height options - #546

ankane · Oct 5, 2020 · 1092181 · 1092181
1 parent 3de1865
commit 1092181
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.4.1 (unreleased)
+
+- Relaxed validation for `width` and `height` options
+
 ## 3.4.0 (2020-08-04)
 
 - Fixed CSS injection with `width` and `height` options - [more info](https://github.com/ankane/chartkick/issues/546)

diff --git a/lib/chartkick/helper.rb b/lib/chartkick/helper.rb
@@ -77,7 +77,8 @@ def chartkick_chart(klass, data_source, **options)
       css_vars.each_key do |k|
         # limit to alphanumeric and % for simplicity
         # this prevents things like calc() but safety is the priority
-        raise ArgumentError, "Invalid #{k}" unless css_vars[k] =~ /\A[a-zA-Z0-9%]*\z/
+        # dot does not need escaped in square brackets
+        raise ArgumentError, "Invalid #{k}" unless css_vars[k] =~ /\A[a-zA-Z0-9%.]*\z/
         # we limit above, but escape for safety as fail-safe
         # to prevent XSS injection in worse-case scenario
         css_vars[k] = ERB::Util.html_escape(css_vars[k])

diff --git a/test/chartkick_test.rb b/test/chartkick_test.rb
@@ -88,6 +88,10 @@ def test_height_percent
     assert_match "height: 100%;", line_chart(@data, height: "100%")
   end
 
+  def test_height_dot
+    assert_match "height: 2.5rem;", line_chart(@data, height: "2.5rem")
+  end
+
   def test_height_quote
     error = assert_raises(ArgumentError) do
       line_chart(@data, height: "150px\"")
@@ -110,6 +114,10 @@ def test_width_percent
     assert_match "width: 100%;", line_chart(@data, width: "100%")
   end
 
+  def test_width_dot
+    assert_match "width: 2.5rem;", line_chart(@data, width: "2.5rem")
+  end
+
   def test_width_quote
     error = assert_raises(ArgumentError) do
       line_chart(@data, width: "80%\"")