On Wed, Feb 19, 2014 at 6:40 AM, John Kida <[email protected]> wrote: > I built a GWT webapp that contains a email reader in one of its views. I > want to be able to display the emails in both their original HTML and plain > text formats. I am currently parsing and saving the HTML email text into the > DB and is queried when it needs to be viewed. Rather then saving the > original message and having to sanitize it every time it needs to be viewed, > I would rather just store the sanitized version in the DB. So my question is > can I run the HTML/CSS/Javascript sanitizer on this parsed email message > from get the response and store that in the DB.. this would all be done > serverside? > > I am just trying to figure out what is the best way to sanitize and store > some static HTML that will never change. And is caja a good fit for doing > this? > > I would want to strip out all JS, any global css, and any other security > related code. > > Thanks
Caja no longer works by rewriting content; since all modern browsers adopted Caja's security model with ES5, all the security code runs at full speed and the old rewrite/emulate code has been deprecated. Thus, there's no need to strip out that content: Caja as a whole is built to *allow* the JS, CSS, etc. to run while constraining the side effects to changing the content within a div. You can, for example, choose not to allow access to the network. That said, if you're really convinced that you want to strip out side effects rather than constrain them, Caja does include a sanitizer as well (https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer). It runs in JavaScript, though, so you'd either need to run it on the browser to get the sanitized string and then send that back to your database or you'd need to run JavaScript on the server. -- Mike Stay - [email protected] http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
