Ps, i haven't had a lot of time recently to closely follow the
discussion and concepts around the sanitizeHtml work, however from
what i gather from quickly glancing over this thread is that this is
going to be a Caja based feature right? (as opposed to a JS based one
that i was personally hoping for :)).
It'll be good to keep in mind that if a number of containers don't
have access to Caja (either they have a custom implementation such as
some asian sites have), or use the PHP version, this feature might
render quite different results on those containers, especially since
the spec is quite vague on what exactly it's supposed to do and what
end result can be expected.
So before you go update the docs based on one implementation, keep
that in mind please :) (and take any doc / spec change proposals to
the spec list ofc, and not the shindig lists)
-- Chris
On Aug 14, 2008, at 5:49 AM, Brian Eaton wrote:
On Wed, Aug 13, 2008 at 6:02 PM, Jasvir Nagra <[EMAIL PROTECTED]>
wrote:
Sure, I can push a caja.jar that splits off the html-sanitizer
depended javascript out of domita-minified. I'm adopting the
following names:
* domita-minified.js (domita+caja without html sanitizer)
* html-sanitizer-minified.js (html4-defs + css-defs + html-sanitizer)
Sounds good.
Some features of html-sanitizer to be aware of... it expects and
outputs balanced set of tags. So it will ignore extraneous close
tags
or insert closing tags are necessary. I can't find any documentation
on what sanitzeHTML is supposed to output other than that it is safe
to set innerHTML to. If the behaviour of html-sanitizer is
acceptable, it should probably be added to the documentation
somewhere.
I'd rather leave the documentation vague so we have the freedom to
change. For now, it's magic security dust.
