DescriptionThe existing taming attempted to prevent the allowHtml option from being
set, but did not filter all of the means of setting options.
Additionally, there are other parameters that can be used to enable
interpretation of some fields as HTML.
Therefore, introduce sanitization for inputs to the API, based on
whitelists of allowed keys in objects. (This is not fully strict;
many parameters are allowed to be arbitrary strings where their
definition does not seem likely to later permit arbitrary HTML.)
Also added some automated tests which will check for HTML leakage and
could be extended to be general functionality tests.
Committed as 01ed526f784ecf0121f64dd3c891faaaef6cf2fc .
Patch Set 1 #Patch Set 2 : Sanitize Google Visualization API parameters. #
Total comments: 6
Patch Set 3 : Sanitize Google Visualization API parameters. #
Total comments: 15
Patch Set 4 : Sanitize Google Visualization API parameters. #
Total comments: 4
Patch Set 5 : Sanitize Google Visualization API parameters. #Patch Set 6 : Sanitize Google Visualization API parameters. #
MessagesTotal messages: 18
|