Looks good, but see comments. What do you think?
http://codereview.appspot.com/88118/diff/2001/2005 File tests/com/google/caja/plugin/templates/TemplateCompilerTest.java (right): http://codereview.appspot.com/88118/diff/2001/2005#newcode147 Line 147: "<form action='test:///testFormRewritten'" The default form action URL, as used here, is being added by TemplateCompiler.java; see line 225++: if (a.getType() == HTML.Attribute.Type.URI) { safeValue = Nodes.getFilePositionFor(el) .source().getUri().toString(); // ... } This code is generic for any URI-valued attribute; it simply selects what it considers a "safe value". Should we be calling the PluginEnvironment instead to get what *it* thinks is a "safe" URI? Should that be [yet] an[other] callback on the PluginEnvironment? Wouldn't that be more consistent with your "trust the PluginEnvironment assertion? It seems that a URI back to the original source code of a plugin (which is what the existing code does) is only "safe" if the PluginEnvironment thinks so, right? http://codereview.appspot.com/88118
