I had a chat with Mike Samuel, the author of html-sanitizer.js. The html_sanitize function is configured with two functions. One of those functions is for mapping element IDs. Caja needs that, but the gadgets.util.sanitizeHtml function doesn't. A simple identity function will suffice.
The other function is for validating URLs. He suggested that we implement that by using the regular expression from RFC 3986 Appendix B to parse the URLs, doing whatever checks we need, and then reassembling them with encodeURIComponent. Cheers, Brian On Fri, Aug 8, 2008 at 12:23 PM, Ropu <[EMAIL PROTECTED]> wrote: > nor > > <iframe src="javascript:..." /> > > On Fri, Aug 8, 2008 at 6:08 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > >> Hi Reema - >> >> Thanks for looking at this. You can probably build your >> implementation on top of the html_sanitize function in >> features/caja/html-sanitizer.js. >> >> Questions answered inline: >> >> On Thu, Aug 7, 2008 at 11:58 AM, Reema Sardana <[EMAIL PROTECTED]> wrote: >> > The reference at >> > http://opensocial-resources.googlecode.com/svn/spec/0.8/gadgets/util.jsdoes >> > not give any details on how the HTML is to be sanitized. Whether it >> should >> > use a blacklist or a whitelist depends on how much flexibility we want to >> > give to the gadget. >> >> Whitelist, definitely a whitelist. >> >> > I was looking at implementing this but I am not sure If I am considering >> > everything that needs to be taken care of. >> > >> > 1. Strip all script tags of the form <script >> >> Yes. >> >> > 2. Strip tags of the form <a onclick="javascript:alert('foo')">bar</a> >> >> Yes. >> >> > 3. Applets ? >> >> Not allowed, likewise no flash/activex/anything similar. >> >> > 4. <div style="width: expression(alert(1))">hello</div> >> >> Also not allowed. >> >> Another case to be sure to block: <a href='javascript:something()'> >> >> Cheers, >> Brian >> > > > > -- > .-. --- .--. ..- > R o p u >
