Using inline css with the span tag?

Hey guys. So I’m apart of this community that uses discourse for their forms and recently I’ve found out that I can code with inline css using the span tag. So i’ve been able to do stuff like this:

& I’ve noticed that it I can’t do the same here. So I was wondering if it was a bug or something. Or if its something the Admins have done, cause none of them seem to know what has happened either.

Sounds like their instance is out of date. What version is it when you view source and look at the headers?

oh that’s interesting.

it says “Discourse 2.1.0.beta 4”

Hmm that is a current version. I can’t think of any reason you couldn’t repro it here. What’s the actual HTML code?

in that preview I used the code

<span style="font-size: 20px; color: #000; letter-spacing: 5px; background-color: rgba(200, 48, 129,.5); padding:50px 90px; width:100px; margin: -100px; auto; display:block; transform: rotateZ(50deg); transform-origin: 20% 40%; transform-style: preserve-3d; position:absolute;z-index:100"> uhm oops

They might have installed a plugin or a theme that is too generous regarding the whitelisting of the style attribute.

Do you know what plugins/theme they have installed?

Wait, what? A theme can whitelist body CSS? That’s incredibly dangerous.

I guess plugins are a different animal, but I’m surprised a theme could do that?

Themes can’t whitelist things in the server-side markdown processor, but they could do some crazy that re-processes cooked content and inserts it into the DOM without filtering.


Yeah, sorry for making your :heart: skip a beat.

For simplicity reasons I put plugins and themes and in the same :basket:.


I don’t know what type of plugins they have — i’m just a curious user that simply wants to know what is happening.

They have three themes named: Light, Dark, and Club ( which is one they tried making i believe)

but this works in all of their themes, and only with the span tag … and it only works if i specify a font-size: as the first style attribute

Someone at the “this site” has put script in place to allow <span> tags to have those style attribute values. Presumably because they wanted to allow more style options to posts.

Hopefully they did so taking the security risks into consideration and the script does not introduce any vulnerabilities that could be exploited.

1 Like