From 07db71b009ad82dba4a6fb7898bae9ae2d4ea020 Mon Sep 17 00:00:00 2001
From: meem <75212565+meemofcourse@users.noreply.github.com>
Date: Fri, 29 Sep 2023 23:37:04 -0300
Subject: [PATCH] Removes the ability for players to use a table's background
 attribute in html to embed images (#2383)

<!-- Write **BELOW** The Headers and **ABOVE** The comments else it may
not be viewable. -->
<!-- You can view Contributing.MD for a detailed description of the pull
request process. -->

## About The Pull Request

a table has a background attribute which can render images from links

<!-- Describe The Pull Request. Please be sure every change is
documented or this can delay review and even discourage maintainers from
merging your PR! -->

## Why It's Good For The Game

security issue bad

<!-- Please add a short description of why you think these changes would
benefit the game. If you can't justify it in words, it might not be
worth adding. -->

## Changelog

:cl:
del: you can no longer bypass image sanitization with tables
/:cl:

<!-- Both :cl:'s are required for the changelog to work! You can put
your name to the right of the first :cl: if you want to overwrite your
GitHub username as author ingame. -->
<!-- You can use multiple of the same prefix (they're only used for the
icon ingame) and delete the unneeded ones. Despite some of the tags,
changelogs should generally represent how a player might be affected by
the changes rather than a summary of the PR's contents. -->
---
 tgui/packages/tgui/sanitize.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tgui/packages/tgui/sanitize.ts b/tgui/packages/tgui/sanitize.ts
index a40d23a320d3..bd67b969a3c5 100644
--- a/tgui/packages/tgui/sanitize.ts
+++ b/tgui/packages/tgui/sanitize.ts
@@ -48,7 +48,7 @@ const defTag = [
 // Advanced HTML tags that we can trust admins (but not players) with
 const advTag = ['img'];
 
-const defAttr = ['class', 'style'];
+const defAttr = ['class', 'style', 'background'];
 
 /**
  * Feed it a string and it should spit out a sanitized version.