I have a wysiwyg that allows users to format a text area. I'm using sanitize and I'm passing in arrays of allowed tags and allowed attributes:
<%= sanitize @record.notes, tags: %w(strong em u div span br h1 h2 h3 h4 ul ol li table thead tbody th tr td img hr a), attributes: %w(style colspan rowspan text-align class href target src href) %>
Everything works properly except for style attributes with color specified with rgb.
For example, this input shows the color properly:
<span style="color: red;">PRODUCTS</span>
But this input doesn't work, and the style attribute is stripped blank:
<span style="color: rgb(226, 80, 65);">PRODUCTS</span>
Is there any way to get the rgb color working properly?
EDIT: For reference, I'm on Rails 4.2.10.
Apparently Loofah handles the sanitize function under the hood, and it defaults to removing some functions. RGB color seems to be treated as a function.
There's currently a pull request to allow whitelisting of particular functions that should address this issue.