Update to 7.x-1.8 strips tags and style on edit

I just did a fresh install of Drupal 7.12 and installed the 7.x-1.8 ckeditor module.
I found the same results that even when deselecting all security options in the security tab the editor would filter the html on load.

Thanks @dczepierga for the reply. However, I might not have explained my problem clearly. The filtered text works correctly on node view. It correctly strips the style tag. However when editing that node, the ckeditor strips the style tag on load. Ckeditor is applying the text filter to the node edit.

Without Ckeditor installed, here is the node in view using a text filter "Filtered HTML". It correctly strips the style tag.

When I edit the node it correctly shows the style tag in the edit box using the unfiltered text.

Now I install ckeditor and turn off the security filters.

When I edit the node it applies the text format on the edit screen. It adds paragraph tags and strips the style tags.

In the 7.x-1.6 version it would not apply the text filter to the node edit.

I updated to the latest DEV, and it looks like the text filter is no longer applied. For example, if there is an img tag that would normally be filtered out, it will appear in CKeditor.

However, the style tags are still being stripped if the text format uses "Limit allowed HTML tags."

Is it designed for security reasons to now strip style tags even if it does not strip un-allowed tags like an iframe? I realize style tags can be a security issue.

The reason I ask is because I use text filters like Image Resize Filter that will take the style tags to process an image. If the style tag is eliminated on edit it removes previous edits to the image. That is just one example.

If in fact it is working as intended, would it be possible to have an option to disable the style stripping without turning the core text filter off altogether?

Thank you for the help. It's greatly appreciated.

Thanks for all the help.

Yes @dczepierga I understood what you were writing.

I actually looked into the WYSIWYG filter module a while back. It's almost perfect, but they are very strict about never allowing certain tags like iframe or embed tags. That complicates things for me on a different end.

I can't say that everything works as expected now, but that's fine. The main confusion was that in 1.6 it did not strip styles for me and in 1.8 it did.

After looking into the code I can see that the ckeditor_filter_xss() function is running...

//Call default CKEditor built-in filter
if ($name == "filter_html" && $status == 1) {
  preg_match_all("|</?([a-z][a-z0-9]*)(?:\b[^>]*)>|i", $text, $matches);
    if ($matches[1]) {
      $tags = array_unique($matches[1]);
      $text = filter_xss($text, $tags);
    }
  continue;
}

The part that is a little confusing now is that it takes all the tags currently in the text and then passes them into filter_xss() as acceptable tags. Normally, the filter_html filter would strip unwanted tags and styles.

From a security standpoint I completely understand. From a usability standpoint it's a little confusing having it detect a filter designed to strip unwanted tags and styles and then only stripping styles. If I was editing a node I would understand having my text filtered the same as when viewing it, but having only a portion of it stripped comes without much warning.

In the end, I will find a different workaround for my specific needs.

Thanks for the time and help.