Trivial to drop it [background attribute] from all tags.
Yeah, I figured that part would be rather simple. :)
I think I'll just nuke the STYLE attribute on all tags.
Okay. I wasn't sure if you'd want to do that or not. I was going to try to see if I could figure out how to just strip out the url() bit itself. But if you're cool with just killing the attribute, then okay... I guess that's pretty easy too in that case.
Everything in <STYLE> </STYLE> is already filtered out.
It is? I didn't see it in the list of filtered tags. Is that a change that was made to the code, but not the documentation then? -- I thought I'd remembered seeing something about it before, but couldn't find a reference in the SECURITY file. Maybe I'd seen it in the code when I played with stuff earlier this year.
If that's the case, you might want to update the SECURITY documentation file to include that detail.
And btw... Thanks for such a quick response, Sam! 8)
-jab
