Allow style="" attribute and inline CSS in comments

[draegonhawke]

Title
Allow style="" attribute and inline CSS in comments

Short, concise description of the idea
I would like to see the style="" attribute allowed in HTML tags in LJ comments. This tag is used for a variety of things, from color formatting to background images such as sparkletext.

Full description of the ideaThe style="" attribut is being stripped

Comments

[trixieleitz]

A couple of weeks ago.

[imc]

Ditto. I think I need to pay more attention to those changelog posts that scroll past unnoticed.

Just testing…

[Edit: even worse, the style shows up on the preview but not when it's posted.]

[slothman]

This would be a good case for custom permission levels. By default, a journal or community should strip out styles and inline CSS in comments, but for someone who knows what they’re doing, they could disable that for friends / community members / authenticated users / everyone. That way, a neophyte will never have to worry about dealing with an attacker who uses a CSS exploit, but someone with experience can choose to relax the constraint as desired.

[splitcomplex]

Ooh, this is a really good idea!

[fiddlingfrog]

I liked this at first glance, but I realized the weakness in it is that communities with open membership would still be vulnerable to CSS exploits. And since the exploits attack readers rather than authors perhaps it should be up to readers whether or not they see CSS styling. Turn it off for not logged in readers, and follow a logged in users preferences. Pair that with the idea of the journal owner/community maintainers deciding who could use CSS, and I think you've got a pretty tight system.

[just_chiara]

+1 to this!

[pinterface]

CSS is useful. Blocking style attributes entirely is throwing the baby out with the bathwater. Which is silly, because who throws out bathwater? There's a drain in the tub for a reason! (And Perl modules for parsing CSS.)

To quote Evan from an e-mail way back in 2003 that discussed some of the issues with a CSS cleaner:

So, the situation is this:
- We can't strip CSS completely, because the users will bitch.
...

Ha!

Given the implementation of frivolities like Facebook and Twitter logins, I don't think there's any excuse for playing the "but it'd be hard and require developer time" card to avoid cleaning CSS properly. Integrating a proper CSS parser shouldn't take more than a couple of days. Figuring out what CSS to whitelist might take a little longer, but properly implemented shouldn't be any harder to change than the HTML tags are. And Mart's list from back then is still pretty good:

In fact, I'd go so far to say that we could just define a subset of CSS that we allow and deny everything else. Off the top of my head, the

[pinterface]

Wow, 2006. Which shows you just how long it's been since I've looked at LJ's code--last time I was in there, that wasn't. :) (Ah, the days when the bugtracker was public.)

CSS::SAC has undergone some updates since then (probably all of them have), so it's likely to have improved. Though I'm not sure CSS::SAC's selector parsing is even relevant in this case: you can't put selectors in style attributes anyway. (And if there's a bug, surely it'd be easier to, ya know, fix the bug rather than start from scratch.)

[charliemc]

If the LJ developers don't have a fix soon, I might just write it myself...

Please do!

[innerbrat]

+1 to this.n I've just had a large part of my fic/RP rendered incomprehensible because I can no longer use Small Caps.