Actually, after some more tracing, the style element was the not the culprit. It was the on[a-z]+ regexp. I think this filters the javascript on* events. If I have banners that rely on using onclick to redirect to an ad serving page/script, and these are being blocked by Drupal, what can be done about them? On 5/7/05, K B <kbahey@gmail.com> wrote:
In 4.6 includes/common.inc, in the function valid_input_data(), there is a check for various entities. Among these entities, there is a check for "style".
http://drupaldocs.org/api/4.6/function/valid_input_data
I use the banner module with text ads, and I use things like:
<div style="some-style-definitions">some text</div>
This check causes the above to be flagged as a security breach attempt and is logged to the watchdog as such.
http://drupal.org/node/20608#comment-29106
My question is: Can the "style" element be used in malicious attacks? If yes, then how?
Thanks in advance.