# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1570552548 -7200
# Node ID 1f68287138e37c2f1b3a3d79b63f0cd7edd4519b
# Parent  1d719d4ef18f8811e525f319162f9eb47b45ef3e
mod_xhtmlim: Default to stripping @style attribute by default

Proper sanitation would require a CSS parser, easier and probably best
for everyone to just strip by default.

diff -r 1d719d4ef18f -r 1f68287138e3 mod_xhtmlim/README.markdown
--- a/mod_xhtmlim/README.markdown	Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/README.markdown	Tue Oct 08 18:35:48 2019 +0200
@@ -3,10 +3,13 @@
 
 This module attempts to sanitize XHTML-IM messages.
 
+It does **not** attempt to sanitize any CSS embedded in `style`
+attributes, these are instead stripped by default.
+
 Configuration
 =============
 
   Option                   Type      Default
   ------------------------ --------- ---------
-  `strip_xhtml_style`      boolean   `false`
+  `strip_xhtml_style`      boolean   `true`
   `bounce_invalid_xhtml`   boolean   `false`
diff -r 1d719d4ef18f -r 1f68287138e3 mod_xhtmlim/mod_xhtmlim.lua
--- a/mod_xhtmlim/mod_xhtmlim.lua	Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/mod_xhtmlim.lua	Tue Oct 08 18:35:48 2019 +0200
@@ -5,7 +5,7 @@
 local st = require "util.stanza";
 local url = require "socket.url";
 
-local no_styles = module:get_option_boolean("strip_xhtml_style", false);
+local no_styles = module:get_option_boolean("strip_xhtml_style", true);
 
 -- Tables from XEP-0071
 local xeptables = [[