On Wed, Aug 13, 2008 at 6:02 PM, Jasvir Nagra <[EMAIL PROTECTED]> wrote: > Sure, I can push a caja.jar that splits off the html-sanitizer > depended javascript out of domita-minified. I'm adopting the > following names: > > * domita-minified.js (domita+caja without html sanitizer) > * html-sanitizer-minified.js (html4-defs + css-defs + html-sanitizer)
Sounds good. > Some features of html-sanitizer to be aware of... it expects and > outputs balanced set of tags. So it will ignore extraneous close tags > or insert closing tags are necessary. I can't find any documentation > on what sanitzeHTML is supposed to output other than that it is safe > to set innerHTML to. If the behaviour of html-sanitizer is > acceptable, it should probably be added to the documentation > somewhere. I'd rather leave the documentation vague so we have the freedom to change. For now, it's magic security dust.
