Hi Mike/Kevin, I believe whitelisting all HTML5, CSS 3 tags and styles would be little tedious or the list would be always growing.! Do you any other out of box solution as i feel above approach is little restrictive, even when browser specific tags are used(moz,webkit)
I presume both 1)google-caja and OWASP Java HTML Sanitizer have this limitation same as 2)Antisamy. Only difference is former has little built in support for HTML5 and CSS3, while the latter's policy file should be updated to support new tags and styles Also i'm curious to know how does Facebook/Google have handled this challenge of supporting HTML5 and CSS3 on their pages where the user have the flexibility to include their HTML? Eager to see your response. Thanks, Mahesh On Fri, Nov 22, 2013 at 9:34 PM, Mike Samuel <[email protected]> wrote: > Mahesh, see our tag and property whitelists: > > > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/lang/html/html4-elements-whitelist.json > > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/lang/html/html5-elements-whitelist.json > > and > > > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/lang/css/css3-whitelist.json > > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/lang/css/css3-fns-whitelist.json > > > 2013/11/21 Mahesh Mahi <[email protected]>: > > I'm curious to know does Google Caja support for HTML5 tags and CSS3 > styles > > (including browser specific style tags eg. -webkit -moz)? > > > > It would be great if you can give me list/link of HTML 5 tags and CSS 3 > > styles supported? > > > > Thanks in Advance. > > Mahesh > > > > > > On Wed, Nov 13, 2013 at 11:56 PM, Kevin Reid <[email protected]> wrote: > >> > >> On Tue, Nov 12, 2013 at 7:25 PM, Mahesh Mahi <[email protected]> > wrote: > >> > > >> > Does Google Caja support HTML5 and CSS3? > >> > >> Please join the google-caja-discuss group to ensure that you receive > >> replies to your messages. > >> > >> Caja currently supports the majority of HTML 5 and CSS 3. If you are > >> seeing _all_ new tags being stripped out, then either you are using an > >> old version of Caja, you are somehow using the HTML 4-only whitelist, > >> or you have discovered a new bug. Please provide a very small example > >> of what is happening and we can take a look. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "Google Caja Discuss" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "Google Caja Discuss" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
