I am currently using the owasp java library on a backend service in order to sanitize HTML sent from the client. The owasp java library has a CSS whitelist of css rules that it will allow inside of any style tag inside of html elements. You can find that whitelist here.
One thing that I noticed about this whitelist is that the display property is omitted. This means that if I create HTML code like the following:
<div style="margin-left:0px;display:none;"></div>
then the HTML sanitizer with the default styling whitelist will strip out the display rule and the HTML saved on the server will be:
<div style="margin-left:0px;"></div>
Why is the display property not white-listed by default?
Because then the other white-listed styles wouldn't work due to the element not being displayed at all
UPDATE
displayhas a lot of weird edge cases that affect layout in weird ways.
inline,block, andinline-blockare likely safe in most contexts.
fixedis probably safe in none.
tableand others are probably dodgy since there may be ways to break visual containment.Even
blockandinline blockcan break visual containment for example with a policy that only allows inline tags when the embedder fixes thewidthof the container and doesn't hideoverflow.