This exposes a hook named 'tagPolicy' in the sanitizer so that the
sanitizer can be customized to accept or transform particular tags,
for example, to accept <iframe> tags with a specific SRC, or transform
<embed> tags into <iframe> tags.
makeTagPolicy, sanitizeAttribs, and sanitizeWithPolicy are factored
out so that they can be easily reused in custom tagPolicy functions.
http://codereview.appspot.com/4641064/diff/11002/src/com/google/caja/plugin/html-sanitizer.js File src/com/google/caja/plugin/html-sanitizer.js (right): http://codereview.appspot.com/4641064/diff/11002/src/com/google/caja/plugin/html-sanitizer.js#newcode1 src/com/google/caja/plugin/html-sanitizer.js:1: // Copied from r4631 of the google-caja project, then ...
14 years, 8 months ago
(2011-10-06 12:30:22 UTC)
#6
LGTM modulo a fix for the bug you identified. http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/html-sanitizer.js File src/com/google/caja/plugin/html-sanitizer.js (right): http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/html-sanitizer.js#newcode536 src/com/google/caja/plugin/html-sanitizer.js:536: ...
14 years, 8 months ago
(2011-10-09 07:02:36 UTC)
#11
LGTM modulo a fix for the bug you identified.
http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/h...
File src/com/google/caja/plugin/html-sanitizer.js (right):
http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/h...
src/com/google/caja/plugin/html-sanitizer.js:536: if (value && '#' ===
value.charAt(0)) {
On 2011/10/07 18:15:38, kpy wrote:
> I realized I don't really understand what's going on here. This code
preserves
> the current behaviour, but why is it correct to pass in a #-prefixed string to
> opt_nmTokenPolicy and then expect it to return a non-#-prefixed string? If
> opt_nmTokenPolicy is the identity function, won't this result in usemap="#foo"
> turning into usemap="##foo"?
I think this is buggy.
If the URI starts with '#' then it is an in-document reference, so scrolls to an
element with the ID or NAME attribute that is value.substring(1). Line 537
should probably do a substring(1).
The name policy then would return a name or ID which would have to be properly
prefixed to make a URI reference.
http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/html-sanitizer.js File src/com/google/caja/plugin/html-sanitizer.js (right): http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/html-sanitizer.js#newcode536 src/com/google/caja/plugin/html-sanitizer.js:536: if (value && '#' === value.charAt(0)) { On 2011/10/09 ...
14 years, 8 months ago
(2011-10-19 00:18:42 UTC)
#12
http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/h...
File src/com/google/caja/plugin/html-sanitizer.js (right):
http://codereview.appspot.com/4641064/diff/21001/src/com/google/caja/plugin/h...
src/com/google/caja/plugin/html-sanitizer.js:536: if (value && '#' ===
value.charAt(0)) {
On 2011/10/09 07:02:36, MikeSamuel wrote:
> On 2011/10/07 18:15:38, kpy wrote:
> > I realized I don't really understand what's going on here. This code
> preserves
> > the current behaviour, but why is it correct to pass in a #-prefixed string
to
> > opt_nmTokenPolicy and then expect it to return a non-#-prefixed string? If
> > opt_nmTokenPolicy is the identity function, won't this result in
usemap="#foo"
> > turning into usemap="##foo"?
>
> I think this is buggy.
>
> If the URI starts with '#' then it is an in-document reference, so scrolls to
an
> element with the ID or NAME attribute that is value.substring(1). Line 537
> should probably do a substring(1).
> The name policy then would return a name or ID which would have to be properly
> prefixed to make a URI reference.
Done.
Issue 4641064: Factor out a replaceable tagPolicy to enable customization of the sanitizer.
Created 14 years, 11 months ago by zestyping
Modified 14 years, 7 months ago
Reviewers: MikeSamuel, kpy
Base URL: http://google-caja.googlecode.com/svn/trunk/
Comments: 17
