I suggest you don't allow attributes at all. Allowing the style attribute causes an XSS vulnerability in IE7 (and possibly other versions, I am not sure at the moment) but the point is, it's too dangerous. You should parse the HTML yourself, and replace the users' with constant strings in your code. Allowing HTML is a really dangerous practice. For better security, you may want to try something like markdown or create your own very simple markup type language (like BBcode) for your users to use.

Like SamT said regarding the XSS vulnerability in IE7, be wary of allowing access to the style attribute because of a genius Microsoft move that allowed the use of javascript in CSS by way of "expression()" (also known as Dynamic Properties). http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Regarding its removal in IE8, where Microsoft blatantly admits that it exposed users to additional vulnerabilities: http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx

example:

<a href="" style="width: expression(alert('XSS'));">blah</a>

The above would pop up a javascript alert box in MSIE 5 through 7. According to the docs on the MSDN, it should also work on IE8 when Quirks mode is active. It also might also occur on IE9 in quirks mode but I can't be sure.

If at all possible, avoid allowing access to the style attribute. You never know when another future browser will get the genius idea to add in the same mistake Microsoft made.

At the least, you want to allow attributes for tags which purifier supports, like so:

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');

I'm not sure if you can also allow/restrict the content of the attributes, though.

Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties.

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');
$configuration->set('CSS.AllowedProperties', 'margin-left');

P.S. I'm surprised how many people don't understand how HTML Purifier works.