Closed Bug 1577884 Opened 6 years ago Closed 6 years ago

Allow nsTreeSanitizer to remove external/internal, but keep inline styles

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: KaiE, Unassigned)

Details

I'd like to use a HTML sanitizer that keeps inline styles, but removes external/internal styles. In other words, allow the style="" attributes, but remove all <style> tags.

Could we extend nsTreeSanitizer to offer that?
(I'd like to use that in Thunderbird.)

Or, do you have alternative suggestions, how I could accomplish that with other code that's already available?

What's the point of that out of curiosity? You don't want to affect the style of outer elements, but allow to affect the style of the elements you're injecting?

(If so, would it make sense to just put the sanitized content in a shadow tree and allow all inline styling? That would prevent the styles from going out of the shadow tree.)

No, we're not injecting. We don't want to allow certain things we're receiving, and for our cases, inline style= seems less problematic than global <style>.

(In reply to Kai Engert (:kaie:) from comment #3)

inline style= seems less problematic than global <style>.

It seems I was wrong.

I'll resolve this as incomplete for now, we probably don't need that distinction.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.