Thanks for the reference. I took a look at his implementation. Has been implemented very neatly. I guess I can steal most of his implementation then. > > > The other function is for validating URLs. He suggested that we > implement that by using the regular expression from RFC 3986 Appendix > B to parse the URLs, doing whatever checks we need, and then > reassembling them with encodeURIComponent.
Pardon for my ignorance here. The purpose of html sanitizer is to return something that can be safely assigned to innerHTML. Why do we need to validate URL's? Do we bother if a URL is not valid? In other words, can it be unsafe in any ways? - Reema > On Fri, Aug 8, 2008 at 12:23 PM, Ropu <[EMAIL PROTECTED]> wrote: > > nor > > > > <iframe src="javascript:..." /> > > > > On Fri, Aug 8, 2008 at 6:08 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > > > >> Hi Reema - > >> > >> Thanks for looking at this. You can probably build your > >> implementation on top of the html_sanitize function in > >> features/caja/html-sanitizer.js. > >> > >> Questions answered inline: > >> > >> On Thu, Aug 7, 2008 at 11:58 AM, Reema Sardana <[EMAIL PROTECTED]> > wrote: > >> > The reference at > >> > > http://opensocial-resources.googlecode.com/svn/spec/0.8/gadgets/util.jsdoes > >> > not give any details on how the HTML is to be sanitized. Whether it > >> should > >> > use a blacklist or a whitelist depends on how much flexibility we want > to > >> > give to the gadget. > >> > >> Whitelist, definitely a whitelist. > >> > >> > I was looking at implementing this but I am not sure If I am > considering > >> > everything that needs to be taken care of. > >> > > >> > 1. Strip all script tags of the form <script > >> > >> Yes. > >> > >> > 2. Strip tags of the form <a onclick="javascript:alert('foo')">bar</a> > >> > >> Yes. > >> > >> > 3. Applets ? > >> > >> Not allowed, likewise no flash/activex/anything similar. > >> > >> > 4. <div style="width: expression(alert(1))">hello</div> > >> > >> Also not allowed. > >> > >> Another case to be sure to block: <a href='javascript:something()'> > >> > >> Cheers, > >> Brian > >> > > > > > > > > -- > > .-. --- .--. ..- > > R o p u > > >
