Skip to content

process_style_loom adds the style attribute to the HTML allowlist for any configured tag, but the sanitization config only allowlists attributes and doesn’t restrict which CSS properties/values are permitted. This effectively allows arbitrary inline CSS on those elements (including tags like table/td that previously didn’t allow style). Consider restricting allowed CSS properties to the configured set (e.g., via an nh3 attribute filter) or otherwise ensuring inline CSS is safely constrained. #79

Open
Open
process_style_loom adds the style attribute to the HTML allowlist for any configured tag, but the sanitization config only allowlists attributes and doesn’t restrict which CSS properties/values are permitted. This effectively allows arbitrary inline CSS on those elements (including tags like table/td that previously didn’t allow style). Consider restricting allowed CSS properties to the configured set (e.g., via an nh3 attribute filter) or otherwise ensuring inline CSS is safely constrained.#79
@matthiask

Description

@matthiask
matthiask
opened on Apr 16, 2026

process_style_loom adds the style attribute to the HTML allowlist for any configured tag, but the sanitization config only allowlists attributes and doesn’t restrict which CSS properties/values are permitted. This effectively allows arbitrary inline CSS on those elements (including tags like table/td that previously didn’t allow style). Consider restricting allowed CSS properties to the configured set (e.g., via an nh3 attribute filter) or otherwise ensuring inline CSS is safely constrained.

Originally posted by @Copilot in #78 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions