Author: lryan
Date: Thu Jul 16 02:49:06 2009
New Revision: 794499
URL: http://svn.apache.org/viewvc?rev=794499&view=rev
Log:
Upgrade to Caja r3574
- Fixes issue with URI escaping in sanitized CSS output
- Fixes bug with CSS DOM cloning (We can now retire the CajaCssLexerParser)
- Caja HTML parser now supports W3C DOM interface (Not used yet)
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/caja/feature.xml
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssParser.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingRequestRewriterTest.java
incubator/shindig/trunk/javascript/samplecontainer/examples/SocialCajaWorld.xml
incubator/shindig/trunk/pom.xml
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/caja/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/caja/feature.xml?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/caja/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/caja/feature.xml
Thu Jul 16 02:49:06 2009
@@ -21,8 +21,8 @@
<feature>
<name>caja</name>
<gadget>
- <script src="res://com/google/caja/plugin/domita-minified.js"></script>
- <script src="caja.js"></script>
- <script src="res://com/google/caja/plugin/valija.co.js"></script>
+ <script src="res://com/google/caja/plugin/domita-minified.js"/>
+ <script src="caja.js"/>
+ <script src="res://com/google/caja/plugin/valija.co.js"/>
</gadget>
</feature>
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssParser.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssParser.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssParser.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssParser.java
Thu Jul 16 02:49:06 2009
@@ -32,8 +32,8 @@
import com.google.caja.lexer.TokenStream;
import com.google.caja.parser.css.CssParser;
import com.google.caja.parser.css.CssTree;
+import com.google.caja.render.Concatenator;
import com.google.caja.render.CssPrettyPrinter;
-import com.google.caja.reporting.MessageContext;
import com.google.caja.reporting.MessageLevel;
import com.google.caja.reporting.MessageQueue;
import com.google.caja.reporting.RenderContext;
@@ -94,18 +94,7 @@
}
}
if (shouldCache) {
- try {
- return (CssTree.StyleSheet)parsedCss.clone();
- } catch (RuntimeException re) {
- // TODO - FIXME ASAP!
- log.log(Level.INFO,
- "Workaround for Caja bug
http://code.google.com/p/google-caja/issues/detail?id=985&start=200\n"; +
re.getMessage());
- try {
- return parseImpl(content);
- } catch (ParseException pe) {
- throw new GadgetException(GadgetException.Code.CSS_PARSE_ERROR, pe);
- }
- }
+ return (CssTree.StyleSheet)parsedCss.clone();
}
return parsedCss;
}
@@ -140,8 +129,8 @@
/** Serialize a stylesheet to a Writer. */
public void serialize(CssTree.StyleSheet styleSheet, Writer writer) {
- CssPrettyPrinter cssPrinter = new CssPrettyPrinter(writer, null);
- styleSheet.render(new RenderContext(new MessageContext(), cssPrinter));
+ CssPrettyPrinter cssPrinter = new CssPrettyPrinter(new
Concatenator(writer, null));
+ styleSheet.render(new RenderContext(cssPrinter));
cssPrinter.noMoreTokens();
}
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
Thu Jul 16 02:49:06 2009
@@ -191,8 +191,12 @@
private static void clean(AncestorChain<?> chain) {
if (chain.node instanceof CssTree.Declaration ||
chain.node instanceof CssTree.Import) {
- // Remove the entire subtree
- ((AbstractParseTreeNode)chain.getParentNode()).removeChild(chain.node);
+ if (chain.getParentNode() instanceof CssTree.UserAgentHack) {
+ clean(chain.parent);
+ } else {
+ // Remove the entire subtree
+ ((AbstractParseTreeNode)chain.getParentNode()).removeChild(chain.node);
+ }
} else {
clean(chain.parent);
}
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/CajaContentRewriter.java
Thu Jul 16 02:49:06 2009
@@ -39,7 +39,6 @@
import com.google.caja.opensocial.GadgetRewriteException;
import com.google.caja.opensocial.UriCallback;
import com.google.caja.opensocial.UriCallbackException;
-import com.google.caja.opensocial.UriCallbackOption;
import com.google.caja.reporting.BuildInfo;
import com.google.caja.reporting.Message;
import com.google.caja.reporting.MessageContext;
@@ -58,10 +57,6 @@
final URI retrievedUri = gadget.getContext().getUrl().toJavaUri();
UriCallback cb = new UriCallback() {
- public UriCallbackOption getOption(ExternalReference
externalReference, String string) {
- return UriCallbackOption.REWRITE;
- }
-
public Reader retrieve(ExternalReference externalReference, String
string)
throws UriCallbackException {
logger.info("Retrieving " + externalReference.toString());
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
Thu Jul 16 02:49:06 2009
@@ -25,7 +25,7 @@
import com.google.caja.parser.css.CssTree;
/**
- *
+ *
*/
public class CajaCssSanitizerTest extends EasyMockTestCase {
@@ -85,7 +85,15 @@
CssTree.StyleSheet styleSheet = parser.parseDom(css);
sanitizer.sanitize(styleSheet, DUMMY, importRewriter, imageRewriter);
assertStyleEquals(
- ".xyz { background:
url('http://www.example.org/img.gif\\26sanitize%3d1\\26rewriteMime%3dimage/\\2A
');}", styleSheet);
+ ".xyz { background:
url('http://www.example.org/img.gif&sanitize=1&rewriteMime=image/*');}",
styleSheet);
+ }
+
+ public void testUrlEscaping() throws Exception {
+ String css = ".xyz { background: url('http://www.example.org/img.gif');}";
+ CssTree.StyleSheet styleSheet = parser.parseDom(css);
+ sanitizer.sanitize(styleSheet, DUMMY, importRewriter, imageRewriter);
+ assertEquals(parser.serialize(styleSheet).replaceAll("\\s", ""),
+
".xyz{background:url('http://www.example.org/img.gif%26sanitize%3D1%26rewriteMime%3Dimage/%2A');}");
}
public void assertStyleEquals(String expected, CssTree.StyleSheet
styleSheet) throws Exception {
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.java
Thu Jul 16 02:49:06 2009
@@ -154,10 +154,10 @@
// The caja css sanitizer does *not* remove the initial colon in urls
// since this does not work in IE
String sanitized =
- "<style>"
+ "<style>"
+ "@import url('http://www.test.com/dir/proxy?url=www.example.org%2F";
- + "www.evil.com%2Fx.js\\26gadget=www.example.org%2Fgadget.xml\\26
"
- + "fp=45508\\26sanitize=1\\26rewriteMime=text/css');"
+ + "www.evil.com%2Fx.js&gadget=www.example.org%2Fgadget.xml&"
+ + "fp=45508&sanitize=1&rewriteMime=text%2Fcss');"
+ "</style>";
String rewritten = rewrite(gadget, markup, set("style"), set());
assertEquals(sanitized, rewritten);
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingRequestRewriterTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingRequestRewriterTest.java?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingRequestRewriterTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizingRequestRewriterTest.java
Thu Jul 16 02:49:06 2009
@@ -79,7 +79,7 @@
String sanitized =
"@import url('http://www.test.com/dir/proxy?";
+ "url=http%3A%2F%2Fwww.evil.com%2Fmore.css"
- + "\\26 fp=45508\\26sanitize=1\\26rewriteMime=text/css');\n"
+ + "&fp=45508&sanitize=1&rewriteMime=text%2Fcss');\n"
+ "A {\n"
+ " font: BOLD\n"
+ "}";
Modified:
incubator/shindig/trunk/javascript/samplecontainer/examples/SocialCajaWorld.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/javascript/samplecontainer/examples/SocialCajaWorld.xml?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
---
incubator/shindig/trunk/javascript/samplecontainer/examples/SocialCajaWorld.xml
(original)
+++
incubator/shindig/trunk/javascript/samplecontainer/examples/SocialCajaWorld.xml
Thu Jul 16 02:49:06 2009
@@ -1,159 +1,147 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!--
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
--->
<Module>
- <ModulePrefs title="Social Caja World">
- <Require feature="opensocial-0.7"></Require>
- <Require feature="caja"></Require>
+ <ModulePrefs title="Caja Demo"
+ title_url="http://www.cajadores.com/";
+ height="200"
+ author="Jasvir Nagra"
+ author_email="[email protected]">
+ <Require feature="opensocial-0.8"></Require>
<Require feature="dynamic-height"></Require>
</ModulePrefs>
<Content type="html">
<![CDATA[
- <style type="text/css">
- #helloworlds {
- margin: 20px;
- font-family: arial, sans-serif;
- width: 310px;
- }
-
- div.person img {
- margin-bottom: 10px;
- }
-
- div.bubble {
- background-image:
url(/gadgets/files/samplecontainer/examples/bubble.gif);
- background-repeat: no-repeat;
- width: 202px;
- height: 66px;
- padding: 12px 0px 0px 12px;
- font-weight: bold;
- font-size: 18px;
- float: right;
- }
-
- .c0 { color: #008000; }
- .c1 { color: #FF8A00; }
- .c2 { color: #7777CC; }
- .c3 { color: #008000; }
- .c4 { color: #CC0000; }
- .c5 { color: #73A6FF; }
-
- div.name {
- width: 150px;
- text-align: right;
- font-weight: normal;
- font-size: 12px;
- color: #999;
- position:relative;
- top: 10px;
- right: -35px;
- }
- </style>
-
- <script type="text/javascript">
- var hellos = new Array('Hello World', 'Hallo Welt', 'Ciao a tutti', 'Hola
mundo',
- 'Появление
на свет',
'こんにちは世界',
'你好世界', '여러분,
안녕하세요');
- var numberOfStyles = 6;
- var viewerCount;
-
- var allPeople, viewerFriendData;
- function render(data) {
- var viewer = data.get('viewer').getData();
- allPeople = data.get('viewerFriends').getData().asArray() || new
Array();
- if (viewer) {
- allPeople.push(viewer);
- }
-
- var viewerData = data.get('viewerData').getData() || {};
- viewerCount = getCount(viewerData[viewer.getId()]);
-
- viewerFriendData = data.get('viewerFriendData').getData() || {};
- viewerFriendData[viewer.getId()] = viewerData[viewer.getId()];
-
- var html = '';
- for (var i = 0; i < allPeople.length; i++) {
- var count = getCount(viewerFriendData[allPeople[i].getId()]);
- if (count == 0) {
- //continue;
- }
-
- html += '<div class="person">';
- html += '<div class="bubble c' + count % numberOfStyles + '">' +
hellos[count % hellos.length];
- html += '<div class="name">' + allPeople[i].getDisplayName() + ' (' +
count + ') ' +
allPeople[i].getField(opensocial.Person.Field.GENDER).getDisplayValue();
- html += '</div></div>';
-
- if (allPeople[i].getField(opensocial.Person.Field.THUMBNAIL_URL)
- &&
allPeople[i].getField(opensocial.Person.Field.THUMBNAIL_URL).indexOf('null') ==
-1) {
- html += '<img src="' +
allPeople[i].getField(opensocial.Person.Field.THUMBNAIL_URL) + '"/>';
- } else {
- html += '<img
src="/gadgets/files/samplecontainer/examples/nophoto.gif"/>';
- }
- html += '<br style="clear:both"></div>';
- }
- document.getElementById('helloworlds').innerHTML = html;
-
- gadgets.window.adjustHeight();
- }
-
- function getCount(data) {
- return data && data['count'] ? Number(data['count']) : 0;
- }
-
- function sayHelloWorld() {
- viewerCount++;
- var req = opensocial.newDataRequest();
- req.add(req.newUpdatePersonAppDataRequest('VIEWER', 'count',
viewerCount), 'updateData');
- req.send(initData);
- }
-
-
- var opts = {};
- opts[opensocial.DataRequest.PeopleRequestFields.FIRST] = 0;
- opts[opensocial.DataRequest.PeopleRequestFields.MAX] = 40;
- opts[opensocial.DataRequest.PeopleRequestFields.PROFILE_DETAILS] =
- [opensocial.Person.Field.AGE,
- opensocial.Person.Field.NAME,
- opensocial.Person.Field.GENDER,
- opensocial.Person.Field.PROFILE_URL,
- opensocial.Person.Field.THUMBNAIL_URL,
- opensocial.Person.Field.STATUS];
- opts[opensocial.DataRequest.PeopleRequestFields.SORT_ORDER] =
opensocial.DataRequest.SortOrder.NAME;
-
-
-
- function initData() {
- var req = opensocial.newDataRequest();
- req.add(req.newFetchPersonRequest('VIEWER', opts), 'viewer');
- req.add(req.newFetchPeopleRequest('VIEWER_FRIENDS', opts),
'viewerFriends');
- req.add(req.newFetchPersonAppDataRequest('VIEWER', 'count'),
'viewerData');
- req.add(req.newFetchPersonAppDataRequest('VIEWER_FRIENDS', 'count'),
'viewerFriendData');
- req.send(render);
- }
-
- gadgets.util.registerOnLoadHandler(initData);
- </script>
-
- <div style="margin-bottom: 1em">
- <input type="button" value="Say hello" onclick="sayHelloWorld(); return
false;"/>
- </div>
- <div id="helloworlds" style="margin: 4px">
- </div>
+ <style type="text/css">
+ body { font-family: arial,sans-serif,helvetica; background-color:
#E5ECF9; }
+ p,td,span,input,label { font-family: arial,sans-serif, helvetica;
font-size:12px }
+ .intro { background-color: #FFFFFF; text-align: center; border: 1px
solid; width: 80%; padding: 5px; margin-left: auto; margin-right:auto;
overflow:scroll; }
+ .source { background-color: #FFFFFF; text-align: center; border: 1px
solid; width: 80%; padding: 5px; margin-left: auto; margin-right:auto;
overflow:scroll; }
+ .problem { background-color: #E5ECF9; text-align: center; border-top:
1px solid #6B90DA; padding: 5px; }
+ .explanation { font-size:80%; background-color: #E5ECF9; text-align:
center; border: 1px; width: 80%; margin-left: auto; margin-right:auto;
padding:5px; }
+ .attack { background:#E5ECF9 none repeat scroll 0 0;
+ text-align:left;
+ border: 1px;
+ padding: 10px 10px;
+ }
+ a.visitattack { display: none; color: #0000ff; }
+ a.visitattack:visited { display: none; color: #000000; }
+ .name { background:#C3D9FF none repeat scroll 0 0; padding:4px 3px 3px
4px;}
+ </style>
+ <div id="intro">
+ Try out these examples in the Shindig sample container by turning the
"use caja" flag on or off.
+ </div>
+ <div id="attacks">
+ <div id="attack1" class="attack">
+ <div class="name">Redirection</div>
+ <div class="problem">
+ <script>var godoevil = function() { top.location =
"http://www.thinkfu.com/evil.gif";;
document.getElementById("redirection-result").innerHTML = "Gadget trying to
redirect page"; };</script>
+ <form>
+ <input type="button" value="Go Do Evil Redirection"
onclick="godoevil()" >
+ </form>
+ <label for="redirection-result">Result:</label><div
id="redirection-result"></div>
+ </div>
+ <label for="attack1source">Source:</label><div id="attack1source"
class="source">
+ top.location = "http://www.thinkfu.com/evil.gif";;
+ </div>
+ <div class="explanation">
+You want to allow gadgets in your page but browsers allow any gadget
+(including one that is in an iframe) to access and navigate the
+browser window. For example, a gadget can redirect the container
+to a phishing site to steal your password.
+
+Caja does not enforce a policy of its own. Instead it gives
+containers stricter control over a gadget can do. For example, it
+allows the container to decide whether a gadget can read or set
+variables such as <code>top.location</code>. A careful choice of
+policy allows a container to protect its users from being unwittingly
+redirected to phishing and malware sites.
+ </div>
+ </div>
+
+ <div id="attack2" class="attack">
+ <div class="name">Sniffing User History</div>
+ <div class="problem">
+ <a id="googlesniff" class="visitattack"
href="http://www.google.com";>Link to Google.com</a>
+ <p>
+ <label for="toplocation">User recently visited
Google.com:</label><div id="googlesniff-result"></div>
+ <script>
+ var link = document.getElementById("googlesniff");
+ var computedColor;
+ if(document.defaultView) {
+ var computedStyle = document.defaultView.getComputedStyle(link,
null);
+ try { computedColor =
computedStyle.getPropertyValue('color');}catch(e){}
+ } else {
+ computedColor = link.currentStyle && link.currentStyle['color'];
+ }
+ document.getElementById("googlesniff-result").innerHTML =
computedColor == '#000000' || computedColor == 'rgb(0, 0, 0)' ? "Yes!" :
"Unknown";
+ </script>
+ </div>
+ <label for="attack2source">Source:</label><div id="attack2source"
class="source">
+ var computedStyle = document.defaultView.getComputedStyle(link,
null);<br>
+ var computedColor = computedStyle.getPropertyValue('color');<br>
+ var visited = computedColor == '#000000' || computedColor == 'rgb(0,
0, 0)' ? "Yes!" : "Unknown";<br>
+ </div>
+ <div class="explanation">
+When you visit a website, your browser helpfully colors links to that
+site with a different color. Unfortunately a malicious gadget can use
+this computed style to detect if you have visited particular sites.
+In this way, a malicious gadget try to determine your gender, your
+news tastes, your political leaning, the name of your bank and other
+sensitive information by analyzing the sites you visit.
+
+By default Caja protects users against such leakage of information by
+not granting access to computed styles.
+ </div>
+ </div>
+ <div id="attack3" class="attack">
+ <div class="name">Script Injection</div>
+ <div class="problem">
+ <script>
+ function displayResult() {
+ var blogComment = document.createElement('div');
+ blogComment.innerHTML = document.getElementById("resultGen").value;
+ document.getElementById("result").appendChild(blogComment);
+ }
+ </script>
+ <form>Enter a comment on my blog:<input id="resultGen" type="text"
size="50" value="<b>just some bold text nothing to see here dudes.</b><script
defer>alert('XSS Exploited!');</script>"><br>
+ <input type="button" value="Display Comment"
onclick="displayResult();"></form><br>
+ <label for="result">Comment:</label><div id="result"></div>
+ </div>
+ <label for="attack3source">Source:</label><div id="attack3source"
class="source">
+ var blogComment = document.createElement('div');
+ blogComment.innerHTML = "<b>user entered text which happens to
contain a <script> tag.</b><script
defer>alert('muahahaa');</script>";
+ document.getElementById("result").appendChild(blogComment);
+ </div>
+ <div class="explanation">
+You want to allow a user to enter comments in your blog using HTML but
+you don't want them to be able to enter scripts which steal cookies of
+other readers of your blog. In this example, user input is being
+assigned directly to innerHTML. On some browsers this has no effect
+but on IE, this will result in the embedded script being executed.
+
+Caja prevents such attacks by sanitizing strings before inserting them into
the DOM.
+ </div>
+ </div>
+ <div id="attack4" class="attack">
+ <div class="name">Cookie Stealing</div>
+ <div class="problem">
+ Document cookie: <div id="cookie"></div>
+ <script>document.getElementById('cookie').innerHTML =
(""+document.cookie).substring(0, 10) + "...";</script>
+ </div>
+ <label for="attack4source">Source:</label><div id="attack4source"
class="source">
+document.getElementById('cookie').innerHTML = document.cookie
+ </div>
+ <div class="explanation">
+You want to inline gadgets in your page but you don't want it to steal
+your viewer's cookies. In this example, you can see if a gadget you
+use sets cookies and if a malicious gadget can access it.
+
+ Caja disallows access to any variable which the container does not
+ explicitly grant a gadget access to. Unless a container explicitly
+ grants a gadget access to your cookies, a gadget is unable to access
+ it.
+ </div>
+ </div>
+<script>gadgets.window.adjustHeight();</script>
]]>
</Content>
</Module>
Modified: incubator/shindig/trunk/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/pom.xml?rev=794499&r1=794498&r2=794499&view=diff
==============================================================================
--- incubator/shindig/trunk/pom.xml (original)
+++ incubator/shindig/trunk/pom.xml Thu Jul 16 02:49:06 2009
@@ -1335,7 +1335,7 @@
<dependency>
<groupId>caja</groupId>
<artifactId>caja</artifactId>
- <version>r3375</version>
+ <version>r3574</version>
<scope>compile</scope>
</dependency>
<dependency>
![http://www.thinkfu.com/evil.gif"](http://www.thinkfu.com/evil.gif"){kind=link}