Under normal conditions, styles are not a security risk per se. However, there are several circumstances in which a malicious style could be a liability:
form
andinput
elements withstyle="display:none"
can auto-populate with data in some browsers, causing users to unknowingly submit extra data.style="display:block"
or anotherdisplay
style might break a layout expectinginline
or another style.- If your layout engine wants to maintain a particular visual style, allowing style information in the
style
attribute will give authors/posters more latitude than indented for choosing styles. (What if they decide they want 2000pt font?) - Style attributes can sometimes load other styles through the
@import
mechanic, or cause URLs to be loaded viabackground
and similar attributes. Unless the sanitizer commits to also sanitize the CSS code, this will be a potential vector for injection.
Since the only reason you'd want to sanatize is that the source is potentially untrusted or insecure, it's assumed that letting the source set their own styles is not desired.