Why is a <style> block considered unsafe markup?

Question

I recently plugged in PageDown to santize some HTML input coming from a textarea, and I noticed that it trims out "style" elements.

I was just wondering why these are considered unsafe ?

Answer 1

IE has a special CSS feature that allows JavaScript to be embedded within CSS. This alone would be reason enough to want to ban <style> tags.

behavior: expressions can also be entered into the style attribute, so you should make sure that you either remove style attributes from your whitelist, or whitelist specific styles. You should not attempt to blacklist styles because there are a few ways script can make its way into styles, and there are plans to add more in the future.

Also, as others mentioned you can completely change the look of a page using CSS. I can't think of any way this could be harmful without also allowing some other markup (like a <form> tag) but given enough creativity I'm sure a malicious person could come up with some ideas.