[development] How to control HTML user input preserving the "style" attributes?

adrian rossouw adrian at bryght.com
Mon Oct 23 17:32:26 UTC 2006

On 23 Oct 2006, at 7:13 PM, Konstantin Käfer wrote:

> The reason why filter.module removes style tags is simple: some  
> dumb browsers allow JavaScript inside stylesheets, for example  
> "font-size:expression(prompt('Enter a font name:', 'Arial'));".  
> Using that you could execute potentially harmful JavaScript code  
> that allows for XSS.

and using the full html 'filter' lets them do that without having to  
jump through hoops even.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20061023/1277ce90/attachment-0001.htm 

More information about the development mailing list