[eluser]35mm[/eluser]
I am setting up a public profile system where people can use redactor WYSIWYG editor to create a bio and include images etc. Redactor adds inline styles to the content which CI's xss filter is stripping out. As well as CI's xss filter I am also using htmlpurifyer and some custom filtering. Given that the system is open to abuse from anyone who registers, it's needs protecting!
1. Why would CI's xss filter regard an inline style as a threat? What are the potential implications of not filtering inline styles?
2. Has anyone come up with a best practice method of disabling CI's xss filtering on styles on a temporary bases when global filtering is on? I know I could hack the class file, but that's not an ideal solution and would be permanent.