In my current project, I also need to also allow the style attribute. I know how to do that.
What I am not sure why it's not allowed by default and should I be careful about something while allowing the style attribute.

Hey @puneet-sutar, I'm not really part of this project, but to answer your question:

Allowing the style attribute in user-generated content (where I think most folks use this gem) is dangerous because CSS is really powerful and can be used to cause serious damage if it is rendered on a page.

For example, if I had access to CSS (even via the style attribute) in this comment box, I could style an anchor element to cover the GitHub icon in the header and redirect users to a phishing site that looks like github.com.

@puneet-sutar Thanks for asking this question.

The answer @jacobherrington gave is correct, but I would like to add that the underlying library, Loofah, does a reasonable job of trying to sanitizing the CSS. Notably, it maintains "allowlists" for CSS properties and functions to try to avoid the obvious vectors for XSS vulnerabilities. But it can't prevent targetted attacks like the one described by Jacob.

I hope our answers make sense and were helpful? I'm going to close this issue, but please feel free to comment or ask for clarification.