Why are my Font & Colors being stripped from Wygwam when I post through Safecracker?

Question 1

Take a look around line 1281 of system/expressionengine/modules/safecracker/libraries/safecracker_lib.php, you will see this:

//@TODO what to do about xss_clean and "naughty" html
//for now you can crack open this file and manually add fields_ids and/or field types to the respective arrays
//to prevent xss_clean
//i had some people complain about not being able to submit <object>'s
$xss_clean = ( ! in_array($field['field_id'], $this->skip_xss_field_ids) && ! in_array($field['field_type'], $this->skip_xss_fieldtypes));

This array seems to be here specifically to help with your situation (wanting to skip XSS filtering on safecracker fields).

The array is initialized around line 2612 of the same file:

$this->skip_xss_field_ids = array();

Therefore, you should simply be able to add your field IDs to this array, to skip XSS filtering, like so:

$this->skip_xss_field_ids = array(37, 81);

Keep in mind this is a REALLY REALLY BAD IDEA. At this point, users can now add any arbitrary javascript to their wygwam field, and you have effectively opened your website up to XSS attacks (malicious users could hijack other users' sessions and do whatever they like).

Question 2

Everything Adrian says is right. However, if you are not allowing guests to post via this form and it's only for approved, registered users, the XSS threat is mitigated. In fact, when you submit an entry in the CP, fields are NOT passed to the XSS filter.

Question 3

If you have the "removeFormatAttributes" setting applied to your Wygwam configuration it will strip out style attributes (amongst others).

Go to Add-ons -> Modules -> Wygwam and click on the config set you are using for the field in question. From there you can select various settings to affect how that set works.