Is <span style = ...> safe to disinfect?

Question

Is <span style = ...> safe to disinfect?

I use a rich text editor (CKEditor), and I have the ability to allow users to create profiles that are displayed to other users.

Many of the attributes that CKEditor can control are lost when I show them as:

<%= sanitize(profile.body) %>

My question is: is it safe to allow the style attribute? This will display things like text color, size, background color, centering, indentation, etc. I just want to be sure that this will not allow the hacker to gain access to what I do not know about!

+5

ruby-on-rails ruby-on-rails-3 sanitize

sscirrus Mar 20 '11 at 21:29

source share

1 answer

bobince · Accepted Answer · 2011-03-20T21:41:15+0000

Is it safe to enable the style attribute?

No.

background-image: url(javascript:[code]);
width: expression([code]);                  /* ie */
behavior: url([link to code]);              /* ie */
-moz-binding: url([link to code]);          /* ff */

UI-spoofing, - .

Is <span style = ...> safe to disinfect?

More articles: