Status: New
Owner: [email protected]
Labels: Type-Defect Priority-High Client-AppScript
New issue 1778 by [email protected]: r5218 broke GViz formatters
http://code.google.com/p/google-caja/issues/detail?id=1778
https://code.google.com/p/google-caja/source/detail?r=5218
This change disallowed HTML provided by guest code. That was in and of
itself good, as it closed a security hole (arbitrary script execution by
providing HTML data that is displayed un-sandboxed by GViz components).
Unfortunately, it did so by setting { allowHtml: false }, which means that
the built-in GViz formatters, like ArrowFormat and BarFormat, which use
HTML, no longer work.
There is no mechanism in GViz for saying, "Allow HTML from the built-in
components, but do not allow HTML from the user-supplied data", which would
be the policy that we would really want here.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
