Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I recently plugged in PageDown to santize some HTML input coming from a textarea, and I noticed that it trims out “style” elements.
I was just wondering why these are considered unsafe ?
IE has a special CSS feature that allows JavaScript to be embedded within CSS. This alone would be reason enough to want to ban
<style>tags.behavior:expressions can also be entered into thestyleattribute, so you should make sure that you either removestyleattributes from your whitelist, or whitelist specific styles. You should not attempt to blacklist styles because there are a few ways script can make its way into styles, and there are plans to add more in the future.Also, as others mentioned you can completely change the look of a page using CSS. I can’t think of any way this could be harmful without also allowing some other markup (like a
<form>tag) but given enough creativity I’m sure a malicious person could come up with some ideas.