RFC: should Loofah sanitize `<style>` tag contents

[flavorjones]

I recently had a conversation with some folks about best practices in sanitizing CSS stylesheets, and I realized that Loofah is no help here. Currently <style> tag contents are treated as CDATA but no particular sanitization is being done like we do for style attributes.

What do y'all think about adding some Crass-based parsing for <style> tags to ensure they're well-formed and sanitized similarly to style attributes?

We obviously would want to take care that Rails apps (and any other web apps that use Loofah) wouldn't accidentally scrub any stylesheets that are inlined in html/head. But I think this should be easy?

[John-Odom]

We would love this

[flavorjones]

@John-Odom Thanks for commenting! Can you tell me a little bit about your use case?