I recently hooked up PageDown to sanitize some of the HTML inputs coming from a text box, and noticed that it truncates the style elements,
I'm just wondering why they are considered unsafe?
IE has a special CSS function that allows you to embed JavaScript in CSS . That alone would be sufficient reason to ban tags <style>.
<style>
behavior: style, style whitelist, . , script , .
behavior:
style
, , CSS. , , (, <form>), , .
<form>
, <script> , , , , <style>. .
<script>
: http://www.squarefree.com/securitytips/web-developers.html
, , HTML-, , Firefox IE:javascript:, vbscript:, and data: URLs in links, images, anywhere. <script> tags, with or without src attributes. Event attributes (on*), which contain scripts. -moz-binding: or behavior: CSS properties inside <style> elements or style attributes. HTML is that is not "well-formed" -- you can't be sure how quirky browsers will parse it. (Example: <b <i>Foo)
, , HTML-, , Firefox IE:
javascript:, vbscript:, and data: URLs in links, images, anywhere. <script> tags, with or without src attributes. Event attributes (on*), which contain scripts. -moz-binding: or behavior: CSS properties inside <style> elements or style attributes. HTML is that is not "well-formed" -- you can't be sure how quirky browsers will parse it. (Example: <b <i>Foo)
. ( , .). , , 3D-. ( , , CSS, , .)
( HTML4 style head. HTML5 , , css, , .)
head
- HTML-, , (.. , , ), . HTML ; , <stuff>, ?
<stuff>
... , . , iframe .., CSS / . ( HTML5 , , IE8, - . , .) , CSS, . (, behavior IE). , HTML, , . , -, ... , , .
behavior