changeset 3699:1f68287138e3

mod_xhtmlim: Default to stripping @style attribute by default Proper sanitation would require a CSS parser, easier and probably best for everyone to just strip by default.
author Kim Alvefur <zash@zash.se>
date Tue, 08 Oct 2019 18:35:48 +0200
parents 1d719d4ef18f
children 0fc208973f0f
files mod_xhtmlim/README.markdown mod_xhtmlim/mod_xhtmlim.lua
diffstat 2 files changed, 5 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_xhtmlim/README.markdown	Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/README.markdown	Tue Oct 08 18:35:48 2019 +0200
@@ -3,10 +3,13 @@
 
 This module attempts to sanitize XHTML-IM messages.
 
+It does **not** attempt to sanitize any CSS embedded in `style`
+attributes, these are instead stripped by default.
+
 Configuration
 =============
 
   Option                   Type      Default
   ------------------------ --------- ---------
-  `strip_xhtml_style`      boolean   `false`
+  `strip_xhtml_style`      boolean   `true`
   `bounce_invalid_xhtml`   boolean   `false`
--- a/mod_xhtmlim/mod_xhtmlim.lua	Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/mod_xhtmlim.lua	Tue Oct 08 18:35:48 2019 +0200
@@ -5,7 +5,7 @@
 local st = require "util.stanza";
 local url = require "socket.url";
 
-local no_styles = module:get_option_boolean("strip_xhtml_style", false);
+local no_styles = module:get_option_boolean("strip_xhtml_style", true);
 
 -- Tables from XEP-0071
 local xeptables = [[