https://codereview.appspot.com/10892043/diff/1/src/com/google/caja/plugin/sanitizecss.js
File src/com/google/caja/plugin/sanitizecss.js (right):
https://codereview.appspot.com/10892043/diff/1/src/com/google/caja/plugin/sanitizecss.js#newcode535
src/com/google/caja/plugin/sanitizecss.js:535: // We disallow absolute
positions relative to html.
On 2013/07/03 20:58:52, kpreid2 wrote:
On 2013/07/03 20:49:23, MikeSamuel wrote:
> Good catch. We {c,sh}ould replace 'html' and other virtualized
elements with
> appropriate class references. I'd rather do that in a separate CL
though.
> Do we have a list of those elsewhere?
That's already handled by the call to tagPolicy — so at this point,
'element'
has already been rewritten. If it wasn't, we would be obviously
broken.
And, to reiterate, once we support targeting a real document (such
that we don't
virtualize the <html> element), it would be incorrect to reject a
'html >'
selector.
This condition should be deleted.
Done.
https://codereview.appspot.com/10892043/diff/6002/src/com/google/caja/parser/js/ExpressionStmt.java
File src/com/google/caja/parser/js/ExpressionStmt.java (right):
https://codereview.appspot.com/10892043/diff/6002/src/com/google/caja/parser/js/ExpressionStmt.java#newcode67
src/com/google/caja/parser/js/ExpressionStmt.java:67: ||
startsWithRegex(e)) {
Some of the statements of the form
if (c) {
if (/foo/.test(x)) {
valid = false;
} else {
bar = baz;
}
} ...
were getting minified to
if (c)/foo/.test(x)?(valid=false):bar=baz;
which is valid, but which Rhino chokes on, causing JsHtmlSanitizerTest
to fail on a parse error in html-css-sanitizer-minified.js
This additional change makes our rendered JS Rhino-safe.
https://codereview.appspot.com/10892043/
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
