I’ve managed to use inline styling to get a decent display html up and running. As we scale, building html for certs with incline styles is going to be quite time consuming. Does adding styles to the whitelist open availability to using those styles in a style tag or are the style tags always removed by the sanitizer when displaying.
Thanks in advance!
Hi @ampatt97,
We made the choice to prevent style tags being part of displayHTML to reduce the amount of possible XSS attacks. Since a blockcerts can be sent to users and ran on their machine, we didn’t feel comfortable with the vulnerability.
At this point there is no reason to revisit, but an argumented and proven discussion as to why it is safe to have a style tag could convince us of the contrary.
We based this decision on this sheet: https://owasp.org/www-community/xss-filter-evasion-cheatsheet but the sanitizer we use seems a bit more general.
Are script tags removed as well?
you bet they are, and for even more explicit reasons