Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DomSanitizer should keep style attributes in HTML, but sanitize them if needed

See original GitHub issue

I’m submitting a…


[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ x ] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead see https://github.com/angular/angular/blob/master/CONTRIBUTING.md#question

Current behavior

DOM sanitizer removes style attribute from all elements.

Expected behavior

DOM santitizer keeps the style attribute on elements, but sanitizes the actual style value if needed, so something innocuous like style="text-align: center" isn’t lost.

Minimal reproduction of the problem with instructions

http://plnkr.co/edit/AjJMr2pDz8IxvucnpTbC?p=preview

What is the motivation / use case for changing the behavior?

Displaying blog posts or other CMS content which uses inline styles for layout/styling.

Environment


Angular version: 4.3.6

Issue Analytics

State:
Created 6 years ago
Reactions:65
Comments:6 (2 by maintainers)

Top GitHub Comments

23reactions

Jahrenskicommented, Apr 24, 2018

Totally relevant because the only way to allow styles at the moment is to entirely trust the input. The use case for this is displaying user input from a rich text editor. I want to strip any dangerous bits about javascript, resourceURL and the such but keep the style attributes intact.

2reactions

amaestr0commented, Mar 4, 2022

Thanks for reporting this issue. This issue is now obsolete due to changes in the recent releases. Please update to the most recent Angular version.

If the problem still exists in your application, please open a new issue and follow the instructions in the issue template.

@jessicajaniuk Updated the angular to the latest stable version which is now 13.2.5 and still have the issue - DomSanitizer still removes the style attr from html element in SecurityContext.HTML, so opening a new issue.