From 2d9d7f13103d8aeb1064f5ff3ec3aace9373c7c3 Mon Sep 17 00:00:00 2001
From: Martin Probst <martin@probst.io>
Date: Tue, 28 Jun 2016 11:45:02 -0700
Subject: [PATCH] fix(security): allow empty CSS values. (#9675)

---
 .../@angular/platform-browser/src/security/style_sanitizer.ts    | 1 +
 .../platform-browser/test/security/style_sanitizer_spec.ts       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/modules/@angular/platform-browser/src/security/style_sanitizer.ts b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
index 688e20e98c..78258c9200 100644
--- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts
+++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
@@ -82,6 +82,7 @@ function hasBalancedQuotes(value: string) {
  */
 export function sanitizeStyle(value: string): string {
   value = String(value).trim();  // Make sure it's actually a string.
+  if (!value) return '';
 
   // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for
   // reasoning behind this.
diff --git a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
index 67bed84e96..7bec4047d0 100644
--- a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
+++ b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
@@ -26,6 +26,7 @@ export function main() {
     function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }
 
     t.it('sanitizes values', () => {
+      expectSanitize('').toEqual('');
       expectSanitize('abc').toEqual('abc');
       expectSanitize('50px').toEqual('50px');
       expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');