style attirbute completely removed?? hi.. i am using a RTE EDITOR ( free rich text editor ) i am passing the html generated by it through the HTMLpurifier. but the output of HTMLpurifier is everything except the style attributes in my HTML. why so? then the purpose of using an rte editor is defeated. can some one tell me. will there be any xss using style attribute also? why is it removed by HTMLpurifier ? i want to allow that attribute what should i do? example: rte generated html: <h1 style="font-family: tahoma; color: rgb(255, 0, 0); font-weight: bold; font-style: italic; text-decoration: underline line-through; text-align: center;"><font size="7">adf</font></h1> the output of HTMLpurifier is <h1><font size="7">adf</font></h1> http://htmlpurifier.org/phorum/read.php?3,1126,1126#msg-1126 Sat, 18 May 2013 06:41:55 -0400 Phorum 5.2.18 http://htmlpurifier.org/phorum/read.php?3,1126,1130#msg-1130 Re: style attirbute completely removed?? http://htmlpurifier.org/phorum/read.php?3,1126,1130#msg-1130 Magic quotes.

]]> Ambush Commander Support Wed, 26 Dec 2007 10:24:46 -0500 http://htmlpurifier.org/phorum/read.php?3,1126,1129#msg-1129 Re: style attirbute completely removed?? http://htmlpurifier.org/phorum/read.php?3,1126,1129#msg-1129 this is my allowed attributes. i urgently need to fix up this. i cant read the entire documentation. what i did is. just simply downloaded and extracted the zip file. and using 

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
    
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

this part of code to parse the html. then why is style atttribute not working for me. kindly suggest. asap.

]]> kishorekumar Support Wed, 26 Dec 2007 00:25:29 -0500 http://htmlpurifier.org/phorum/read.php?3,1126,1128#msg-1128 Re: style attirbute completely removed?? http://htmlpurifier.org/phorum/read.php?3,1126,1128#msg-1128 HTMLPurifier_ConfigSchema::define( 'HTML', 'AllowedAttributes', null, 'lookup/null', ' <p> If HTML Purifier\'s attribute set is unsatisfactory, overload it! The syntax is "tag.attr" or "*.attr" for the global attributes (style, id, class, dir, lang, xml:lang). </p> <p> <strong>Warning:</strong> If another directive conflicts with the elements here, <em>that</em> directive will win and override. For example, %HTML.EnableAttrID will take precedence over *.id in this directive. You must set that directive to true before you can use IDs at all. This directive has been available since 1.3.0. </p> '); ]]> KishroeKumar Support Wed, 26 Dec 2007 00:22:42 -0500 http://htmlpurifier.org/phorum/read.php?3,1126,1127#msg-1127 Re: style attirbute completely removed?? http://htmlpurifier.org/phorum/read.php?3,1126,1127#msg-1127 As you can see here, HTML Purifier by default preserves style attributes. Two things:

  1. Make sure magic quotes is off
  2. Make sure you've allowed the style attribute if you've restricted allowed tags/attributes
]]> Ambush Commander Support Mon, 24 Dec 2007 20:46:41 -0500 http://htmlpurifier.org/phorum/read.php?3,1126,1126#msg-1126 style attirbute completely removed?? http://htmlpurifier.org/phorum/read.php?3,1126,1126#msg-1126 hi..

i am using a RTE EDITOR ( free rich text editor ) i am passing the html generated by it through the HTMLpurifier.

but the output of HTMLpurifier is everything except the style attributes in my HTML. why so? then the purpose of using an rte editor is defeated. can some one tell me. will there be any xss using style attribute also? why is it removed by HTMLpurifier ? i want to allow that attribute what should i do?

example: rte generated html: 


<h1 style="font-family: tahoma; color: rgb(255, 0, 0); font-weight: bold; font-style: italic; text-decoration: underline line-through; text-align: center;"><font size="7">adf</font></h1>

the output of HTMLpurifier is 


<h1><font size="7">adf</font></h1>
]]> KishoreKumar Support Mon, 24 Dec 2007 00:39:50 -0500