The purpose behind lxml.htm.clean to remove 'style' from tags

Question

I am using lxml.html.clean to sanitize html. It seems to remove 'style' attributes from all tags and for my purposes I need the style attributes to not be removed.

Before I start allowing, I am keen to understand if there are any security implications around not removing style attributes at the time of sanitizing html.

Any insight on this matter from the gurus out there will be highly appreciated.

(please note my application allows an end user to create html which is saved on a backend database and then rendered on pages. 'clean' above works well in removing any malicious html (e.g. javascript, etc) from the html before it is saved for subsequent rendering).

Per feedparser HTML sanitisation web site - 'style' is not present in the list of 'safe_attrs'

(Also, sorry if this is a pedestrian question. I am new to html/sanitization and related security aspects)

Answer 1

Under normal conditions, styles are not a security risk per se. However, there are several circumstances in which a malicious style could be a liability:

• form and input elements with style="display:none" can auto-populate with data in some browsers, causing users to unknowingly submit extra data.
• style="display:block" or another display style might break a layout expecting inline or another style.
• If your layout engine wants to maintain a particular visual style, allowing style information in the style attribute will give authors/posters more latitude than indented for choosing styles. (What if they decide they want 2000pt font?)
• Style attributes can sometimes load other styles through the @import mechanic, or cause URLs to be loaded via background and similar attributes. Unless the sanitizer commits to also sanitize the CSS code, this will be a potential vector for injection.

Since the only reason you'd want to sanatize is that the source is potentially untrusted or insecure, it's assumed that letting the source set their own styles is not desired.