I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users.
Many of the attributes CKEditor can control are being lost when I display them as:
<%= sanitize(profile.body) %>
My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about!
is it safe to allow the attribute 'style' to be parsed?
No.
background-image: url(javascript:[code]);
width: expression([code]); /* ie */
behavior: url([link to code]); /* ie */
-moz-binding: url([link to code]); /* ff */
Not to mention UI-spoofing attacks like positioning a false login form over a real one or something.