Allowed HTML Filter kills the Style

I'm going to file this one under "Things I didn't know but make complete sense". I was sitting in #drupal-support today answering random questions when someone asked why the "Filtered HTML" filter was removing all of their custom formatting despite them having explicitly added in all the correct tags.

It turns out the that "HTML Filter" in Drupal specifically removes the "style" attribute from any tag for security reasons. A quick google search pulled this up.

"The reason why filter.module removes style tags is simple: some dumb browsers allow JavaScript inside stylesheets, for example "font- size:expression(prompt('Enter a font name:', 'Arial'));". Using that you could execute potentially harmful JavaScript code that allows for XSS"

Why do I have this feeling that "dumb browsers" means IE?

Of course the use of inline styles (ex. <div style="font-weight:bold">) should be discouraged for, hopefully, obvious reasons. So in short don't use them instead of classes and your CSS file. If you're using TinyMCE you should disable all buttons that manually let you manipulate font size, color, weight, etc. Instead you should instruct TinyMCE to use CSS Styles. You can configure this at the bottom of the TinyMCE module configuration.