One reason I'm doing this server-side is that up to 12 or more user "applications" might come on screen at the same time, and I don't want the overhead of sanitizing them all on demand. Instead, when a user saves their app, it gets sent up to my server, sanitized, then stored in the DB, so that subsequent app views are just simple DOM injections. I haven't actually benchmarked html_sanitize, so maybe I'm premature optimizing and it would be fine, but I'm worried about large DOM trees lagging things down.
Now that I've asked, I realize that I got so caught up in using the cajoler*, but all I really need is a server-side Java sanitizer capable of namespacing ids/classes and rewritting URIs. I see that OWASP uses Caja somehow already and presumably provides this. Is there a way to go direct through Caja though? * I actually did need the cajoler at one point because I needed the cajoled JS as well...now that I'm sandboxing JS with es5Mode, I realize that the server can be a little more flexible. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
