Style from Image Tags are being removed

[eluser]Unknown[/eluser]
Hey Guys,

Do you know when I submit an image HTML tag using codeigniter, it removes any styles that is associated with it? Just found a bug in posting blog posts in my CMS system. When there are pictures: If you align the picture left, it shows left, and it should insert it properly aligned left. But Codeigniter removes the style tags completely from the image.

It supposed to work like this. http://admin.kickradio.ca/test.php <--- Without CodeIgnitier

When inserting I just have the standard.


Know what I mean?

Code:

$inputdata = array(
        'title' => $this->input->post('title'),
        'content' => $this->input->post('entry'),
        'author' => $sessionid,
        'default_image' => $this->input->post('default_file'),
        'files' => $all_files,
        'section' => $sections,
        'public' => $this->input->post('published'),
        'comments' => $this->input->post('comments'),
        'hostblog' => $this->input->post('hostblog')
);

$this->db->insert('blog', $inputdata);

[eluser]osci[/eluser]
in system/core/Security.php

Code:

protected function _remove_evil_attributes($str, $is_image)
{
   // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
   $evil_attributes = array('on\w*', 'style', 'xmlns');
//........
//........

I strips by default style attribute.
I don't know from a security point of view how it should be handled.
The more unsecure is removing from there 'style'.
In another post they hard-coded the allowed controllers/methods and checked against them to decide whether to strip style or not. But I didn't like that much either although I haven't figured a better way.

[eluser]Unknown[/eluser]
I fixed it.. I had Global XSS Filter turned on.

Thanks though!