Updates:
Status: WontFix
Owner: [email protected]
Comment #3 on issue 1079 by [email protected]: PluginEnvironment should
have a getSafeUri()
http://code.google.com/p/google-caja/issues/detail?id=1079
The remaining issue I see from this is that we should not normalize URIs
that are whitelisted by the PluginEnvironment. As noted by an associated CL
description by felixz@, when using a PluginEnvironment that allows URIs
without rewriting, the cajoler will turn this:
<a href="mailto:a@b";></a>
<a href="http://a.b/c;_d=e";></a>
into this:
<a href="mailto:/a%40b";></a>
<a href="http://a.b/c%3b%5fd%3de";></a>
which doesn't mean the same thing at all.
This is currently done in class HtmlAttributeRewriter, and normalization
happens *before* we give the URIs to the PluginEnvironment. This issue
persists in ES5/3 at time of writing, but does not exist in ES5. I am loath
to mess with such touchy code given that we have not received any problem
reports about this misfeature, so I am marking WontFix.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
