# HG changeset patch # User Kim Alvefur # Date 1570552548 -7200 # Node ID 1f68287138e37c2f1b3a3d79b63f0cd7edd4519b # Parent 1d719d4ef18f8811e525f319162f9eb47b45ef3e mod_xhtmlim: Default to stripping @style attribute by default Proper sanitation would require a CSS parser, easier and probably best for everyone to just strip by default. diff -r 1d719d4ef18f -r 1f68287138e3 mod_xhtmlim/README.markdown --- a/mod_xhtmlim/README.markdown Tue Oct 08 17:32:50 2019 +0100 +++ b/mod_xhtmlim/README.markdown Tue Oct 08 18:35:48 2019 +0200 @@ -3,10 +3,13 @@ This module attempts to sanitize XHTML-IM messages. +It does **not** attempt to sanitize any CSS embedded in `style` +attributes, these are instead stripped by default. + Configuration ============= Option Type Default ------------------------ --------- --------- - `strip_xhtml_style` boolean `false` + `strip_xhtml_style` boolean `true` `bounce_invalid_xhtml` boolean `false` diff -r 1d719d4ef18f -r 1f68287138e3 mod_xhtmlim/mod_xhtmlim.lua --- a/mod_xhtmlim/mod_xhtmlim.lua Tue Oct 08 17:32:50 2019 +0100 +++ b/mod_xhtmlim/mod_xhtmlim.lua Tue Oct 08 18:35:48 2019 +0200 @@ -5,7 +5,7 @@ local st = require "util.stanza"; local url = require "socket.url"; -local no_styles = module:get_option_boolean("strip_xhtml_style", false); +local no_styles = module:get_option_boolean("strip_xhtml_style", true); -- Tables from XEP-0071 local xeptables = [[