Why does the XSS filter strip inline styles and is there a best practice to prevent it?

[eluser]35mm[/eluser]
I am setting up a public profile system where people can use redactor WYSIWYG editor to create a bio and include images etc. Redactor adds inline styles to the content which CI's xss filter is stripping out. As well as CI's xss filter I am also using htmlpurifyer and some custom filtering. Given that the system is open to abuse from anyone who registers, it's needs protecting!

1. Why would CI's xss filter regard an inline style as a threat? What are the potential implications of not filtering inline styles?

2. Has anyone come up with a best practice method of disabling CI's xss filtering on styles on a temporary bases when global filtering is on? I know I could hack the class file, but that's not an ideal solution and would be permanent.

[eluser]CroNiX[/eluser]
There are lots of situations where enabling *global* xss clean can bite you. I leave it globally disabled and only use it manually where I need it, such as setting the 2nd parameter of input::post() to TRUE when reading input, using xss_clean as a form validation rule, etc. A *tad* more code, but you have complete control and don't run into these anomalies, or at least you can easily work around them when you do.