[development] How to control HTML user input preserving the "style" attributes?
adrian rossouw
adrian at bryght.com
Mon Oct 23 17:32:26 UTC 2006
On 23 Oct 2006, at 7:13 PM, Konstantin Käfer wrote:
>
> The reason why filter.module removes style tags is simple: some
> dumb browsers allow JavaScript inside stylesheets, for example
> "font-size:expression(prompt('Enter a font name:', 'Arial'));".
> Using that you could execute potentially harmful JavaScript code
> that allows for XSS.
and using the full html 'filter' lets them do that without having to
jump through hoops even.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20061023/1277ce90/attachment-0001.htm
More information about the development
mailing list