On Tue, Aug 12, 2014 at 5:04 PM, Andrew Stillman <[email protected]>
wrote:
> Before I lose faith, can anyone comment on whether there a known or
> documented compatible rich text editor for Caja?
>
Unfortunately, most rich text editor components depend on the
"contenteditable" browser feature, which is difficult if not impossible to
support in a way which meets Caja's security requirements. You would have
to use an editor which does not make use of contenteditable (perhaps, as
MarkM suggested in another message, a markup editor with preview).
For the technically interested, the problem, as I understand it, is that
contenteditable allows arbitrary HTML to be *pasted into the document;* that
HTML can then attack the host page even if it was pasted into the guest.
This does not mean that a guest could launch an attack by itself, but it
could ask users to perform such an apparently-innocuous action as visiting
another page ("try our templates!") and copying content from it.
(Don't take this as the final word; I wasn't present for the original
decision and may not have the analysis right.)
I have a hypothesis that this could be mitigated by arranging to sanitize
the content immediately after it is pasted, but I haven't tried this idea
out to see if it even vaguely works.
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
