nor <iframe src="javascript:..." />
On Fri, Aug 8, 2008 at 6:08 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > Hi Reema - > > Thanks for looking at this. You can probably build your > implementation on top of the html_sanitize function in > features/caja/html-sanitizer.js. > > Questions answered inline: > > On Thu, Aug 7, 2008 at 11:58 AM, Reema Sardana <[EMAIL PROTECTED]> wrote: > > The reference at > > http://opensocial-resources.googlecode.com/svn/spec/0.8/gadgets/util.jsdoes > > not give any details on how the HTML is to be sanitized. Whether it > should > > use a blacklist or a whitelist depends on how much flexibility we want to > > give to the gadget. > > Whitelist, definitely a whitelist. > > > I was looking at implementing this but I am not sure If I am considering > > everything that needs to be taken care of. > > > > 1. Strip all script tags of the form <script > > Yes. > > > 2. Strip tags of the form <a onclick="javascript:alert('foo')">bar</a> > > Yes. > > > 3. Applets ? > > Not allowed, likewise no flash/activex/anything similar. > > > 4. <div style="width: expression(alert(1))">hello</div> > > Also not allowed. > > Another case to be sure to block: <a href='javascript:something()'> > > Cheers, > Brian > -- .-. --- .--. ..- R o p u
