[eluser]Twisted1919[/eluser]
As the title say, the new update to the security class, adds a new method call in the xss_clean()( _remove_evil_attributes() ) which practically strips out any style tag that is appended to the HTML content.
For example, i use CKEDITOR, and before this update, i could easily have something like this in the editor:
Code:
<div style="width:400px;float:left">
CONTENT HERE
</div>
But now, the xss filter just removes the style tag so i end up with a lot of broken pages till i realized what is happening and who's fault is(i suspected ckeditor first time)
In order to fix this, i had to use HTML Purifier instead of xss_clean() for the fields where i use a text editor.
I don't really like using HTML Purifier because is a beast on memory usage, but i cannot alter the xss_clean() method because i know the style tag can be dangerous too, so it seems to me, that this is the only way of being able to preserve the HTML content of a page.
Hope this info helps someone else
