$sanitize removes the style attribute

[acollard]

The HTML sanitize code removes the style attribute. We are running into this issue while rendering html content generated by https://github.com/angular-ui/ui-tinymce.

So this code:

$sanitize('<span style="font-size: 18px">Large</span>')

will return

'<span>Large</span>'

I don't think there are any security vulnerabilities with the style attribute but I could be wrong.

[petebacondarwin]

I think there are issues with inline styles. See
http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
and more specifically http://scarybeastsecurity.blogspot.co.uk/2009/12/generic-cross-browser-cross-domain.html

[petebacondarwin]

If you really wanted to allow this then you could make your own copy of angular-sanitize.js and tweak the variables that define what is allowed as HTML attributes.

[seiyria]

There might be problems, but this ignores people who use tools like Summernote for editing and don't really control the resulting HTML.

[dimrsilva]

One solution would be provide a way to customize those variables. So that, it will be possible to allow style in specific locations.

[chogarcia]

+1

[jtosey]

+1

[petebacondarwin]

I believe that allowing style attributes would open up a security hole in your application. So we would not want to encourage you to do that by letting you configure the sanitizer to be insecure.

[chogarcia]

Could you explain what are the security concerns in regards of style attribute please?
Just being curious.

[petebacondarwin]

You can start by checking out all the places here - https://html5sec.org/ - that reference style="..."

[petebacondarwin]

That being said, it may be that "modern" browsers are not susceptible to such attacks:
http://security.stackexchange.com/questions/60712/is-xss-through-style-attribute-possible-in-modern-browsers

I would still be very wary of allowing inline style attributes.

[chogarcia]

many thanks