[development] How to control HTML user input preserving the "style" attributes?
Konstantin Käfer
kkaefer at gmail.com
Mon Oct 23 17:13:15 UTC 2006
> I believe filter.module does that for security reasons.
The reason why filter.module removes style tags is simple: some dumb
browsers allow JavaScript inside stylesheets, for example "font-
size:expression(prompt('Enter a font name:', 'Arial'));". Using that
you could execute potentially harmful JavaScript code that allows for
XSS.
Konstantin Käfer – http://kkaefer.com/
More information about the development
mailing list