Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In our app we allow the display of html from an external source, so before we display it, we sanitize it. The source is somewhat trusted but we want to add another layer.
We remove the style tag but wish to preserve style attributes. I know scripts can be placed in that attribute and was wondering to what extent can these be used for XSS. In other words what are the specific risks with allowing style tags?
Many of the same risks are shared with HTML emails. If you’re showing your HTML email in a web-based reader, such as Gmail, you want to ensure it can’t escape its container and try to mess with the mail interface itself. Because of this, many styles are ripped out before the email is served to the user. Campaign Monitor has a good guide as to what CSS is allowed and disabled in different mail clients. This may be a good starting point.