23 Oct
2006
23 Oct
'06
7:32 p.m.
On 23 Oct 2006, at 7:13 PM, Konstantin Käfer wrote:
The reason why filter.module removes style tags is simple: some dumb browsers allow JavaScript inside stylesheets, for example "font-size:expression(prompt('Enter a font name:', 'Arial'));". Using that you could execute potentially harmful JavaScript code that allows for XSS.
and using the full html 'filter' lets them do that without having to jump through hoops even.