mod_xhtmlim: Default to stripping @style attribute by default Proper sanitation would require a CSS parser, easier and probably best for everyone to just strip by default.

author: Kim Alvefur <zash@zash.se>
date: Tue, 08 Oct 2019 18:35:48 +0200
parent: 2865:f6ed4421167d
--- a/mod_xhtmlim/README.markdown	Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/README.markdown	Tue Oct 08 18:35:48 2019 +0200
@@ -3,10 +3,13 @@
 
 This module attempts to sanitize XHTML-IM messages.
 
+It does **not** attempt to sanitize any CSS embedded in `style`
+attributes, these are instead stripped by default.
+
 Configuration
 =============
 
   Option                   Type      Default
   ------------------------ --------- ---------
-  `strip_xhtml_style`      boolean   `false`
+  `strip_xhtml_style`      boolean   `true`
   `bounce_invalid_xhtml`   boolean   `false`