jsoup Whitelist relaxed mode too strict for wysiwyg editor

Question

I'm attempting to use jsoup to sanitize the the html posted from a wysiwyg in my client (tinymce as it happens)

The relaxed mode appears not to be relaxed enough as by default it strips span elements and any style attributes.

eg

String text = "<p style="color: #ff0000;">foobar</p>";

   Jsoup.clean(text, Whitelist.relaxed());

would output

<p>foobar</p>

and

<span>foobar</span>

would be removed entirely.

Does anyone have any experience of using Jsoup to eradicate the possibility of XSS attacks and still allow the above elements and attributes through?

Edit: I have gone with the following. Could anyone advise on how vulnerable this is?

Jsoup.clean(pitch, Whitelist.relaxed().addTags("span").addAttributes(":all","style"));

Edit 2: Has anybody used the owasp library in production. It looks to correctly sanitize while preserving the correct styling. OWASP

Answer 1

It seems that it is possible to have XSS using the style attribute..

XSS attacks and style attributes

http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm (Look at the DIV section, which I would assume works the same for SPAN)

Here is some code I wrote to test the example in the last link..

    text = "<span style=\"width: expression(alert('XSS'));\">";
    System.out.println(Jsoup.clean(text, org.jsoup.safety.Whitelist.relaxed().addTags("span").addAttributes(":all","style")));

It outputs the input exactly. If that is truly an XSS vector, then you could still be in trouble.