Currently, any inline styles in HTML get stripped out when editing content for text-formats that use both the core CKEditor and any output filtering. This includes simple and generally useful styles like <td style="width: 25%">. #2099741: Protect WYSIWYG Editors from XSS Without Destroying User Data put this filtering in place to prevent XSS attacks via saved content being rendered by an editor. While this brings good safety, the current blanket prohibition on any inline styles while CKEditor with output filtering is used causes issues such as #2785483: [upstream] Cannot set cell width or height because inline styles are stripped and #3073961: allowed styles are removed upon editing in ckeditor.
#2099741: Protect WYSIWYG Editors from XSS Without Destroying User Data and the Text editor XSS filtering documentation indicate that editors can override the XSS filter class used and provide their own implementation. Unfortunately, extending \Drupal\editor\EditorXssFilter\Standard to add filtering of style attributes requires overriding the large and complex \Drupal\Component\Utility\Xss::attributes() function.
I would like to propose refactoring \Drupal\Component\Utility\Xss::attributes() to make the code more understandable as well as make it easier for child classes to add support for filtering of inline style attributes while continuing to use the default filtering for all other attributes.
I'll follow up with a proof-of-concept refactoring of \Drupal\Component\Utility\Xss::attributes() that maintains existing behavior by default, but is easier to extend for this purpose or related purposes.