Disable x-style in some parts of the DOM

[alarbada]

Following this: https://htmx.org/docs/#security

This library looks really interesting! But I believe it could have some security issues with uploaded user html from a WYSIWYG, for example.

[samwillis]

Good catch, I will add a similar 'x-style-disable' attribute.

Realistically, user submitted html needs to be going through an "allow list" (rather than block list) of elements and attributes. But not everyone is that thorough though.

[mindplay-dk]

Is this really a security concern? how so?

I mean, is it more of a concern that allowing style?

As Sam said, allow-listing user-submitted HTML is typically done to sanitize against real dangers like onclick etc.