2013/11/28 Mahesh Mahi <[email protected]>: > Hi Mike/Kevin, > > I believe whitelisting all HTML5, CSS 3 tags and styles would be little > tedious or the list would be always growing.! > Do you any other out of box solution as i feel above approach is little > restrictive, even when browser specific tags are used(moz,webkit)
What do you mean by "browser specific tags"? Do you have any examples? Why would you whitelist all of HTML5 or CSS3? That seems to defeat the purpose of white-listing in the first place which is to restrict the authority that a 3rd party can exercise. > I presume both 1)google-caja and OWASP Java HTML Sanitizer have this > limitation same as 2)Antisamy. > Only difference is former has little built in support for HTML5 and CSS3, > while the latter's policy file should be updated to support new tags and > styles You can change the policy files used by Caja and you can supply different white-lists at runtime to its sanitizers. OWASP Java HTML Sanitizer policies are specified in code via the HTMLPolicyBuilder API ( http://www.glowscript.org/#/user/msgs/folder/My_Programs/program/Lights ) and you can use whatever tag names you desire. Only AntiSamy requires editing files to change policies and fails to distinguish between the description of the language, and the policy by blending both into an XML file. > Also i'm curious to know how does Facebook/Google have handled this > challenge of supporting HTML5 and CSS3 on their pages where the user have > the flexibility to include their HTML? I think Facebook & Google are incrementally adding support for HTML5 tags as they see use cases. Most of the tags that were added to HTML5 are semantic in nature, so not useful without stylesheets which have serious embedding problems, or are powerful new media tags like video or audio which are usually not embedded directly, but instead embedded via youtube emedding APIs or the like. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
