If you don't want to use javascript, then the client side html sanitizer is probably what you want. It gets rid of javascript rather than try to make it safe, and has the benefit of not needing a cajoler on a server.
https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer On Fri, Jun 28, 2013 at 10:51 AM, Doug Koellmer <[email protected]> wrote: > Using the default goals for the PluginCompiler > (PipelineMaker.ONE_CAJOLED_MODULE.with(PipelineMaker.HTML_SAFE_STATIC.with(PipelineMaker.SANITY_CHECK))), > I'm getting static html that is mostly namespaced/sandboxed correctly, > except for at least one case. If I have <div id='blah' > onclick='someFunction();'></div>, the DIV's id is changed to something like > id_4___, instead of blah-<idClass>. Only when the cajoled JS is loaded does > the id get set correctly using the idClass I provide. > > If I don't include the onclick attribute, then the static html is correct by > itself. So basically I'm wondering if there is a configuration that will > yield safe static html that disregards javascript completely. > > I figured out that removing "onclick" from the html schema transforms > onclick into data-caja-onclick and my DIV id is correct. I could just modify > the schema files to remove all attributes related to scripting, but does > that cover all cases where cajoled JS is required to render the static html > correctly? Is there a better way? > > As usual, thank you for your time. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Mike Stay - [email protected] http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
