mod_xhtmlim: Default to stripping @style attribute by default
Proper sanitation would require a CSS parser, easier and probably best
for everyone to just strip by default.
--- a/mod_xhtmlim/README.markdown Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/README.markdown Tue Oct 08 18:35:48 2019 +0200
@@ -3,10 +3,13 @@
This module attempts to sanitize XHTML-IM messages.
+It does **not** attempt to sanitize any CSS embedded in `style`
+attributes, these are instead stripped by default.
+
Configuration
=============
Option Type Default
------------------------ --------- ---------
- `strip_xhtml_style` boolean `false`
+ `strip_xhtml_style` boolean `true`
`bounce_invalid_xhtml` boolean `false`
--- a/mod_xhtmlim/mod_xhtmlim.lua Tue Oct 08 17:32:50 2019 +0100
+++ b/mod_xhtmlim/mod_xhtmlim.lua Tue Oct 08 18:35:48 2019 +0200
@@ -5,7 +5,7 @@
local st = require "util.stanza";
local url = require "socket.url";
-local no_styles = module:get_option_boolean("strip_xhtml_style", false);
+local no_styles = module:get_option_boolean("strip_xhtml_style", true);
-- Tables from XEP-0071
local xeptables = [[