fix(security): allow empty CSS values. (#9675)

modules/@angular/platform-browser/src/security/style_sanitizer.ts

@@ -82,6 +82,7 @@ function hasBalancedQuotes(value: string) {
  */
 export function sanitizeStyle(value: string): string {
   value = String(value).trim();  // Make sure it's actually a string.
+  if (!value) return '';
 
   // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for
   // reasoning behind this.

modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts

@@ -26,6 +26,7 @@ export function main() {
     function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }
 
     t.it('sanitizes values', () => {
+      expectSanitize('').toEqual('');
       expectSanitize('abc').toEqual('abc');
       expectSanitize('50px').toEqual('50px');
       expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');