(Belatedly) This will be a pure javascript feature. It'll just happen to use javascript provided by the Caja project.
On Thu, Aug 14, 2008 at 1:54 AM, Chris Chabot <[EMAIL PROTECTED]> wrote: > Ps, i haven't had a lot of time recently to closely follow the discussion > and concepts around the sanitizeHtml work, however from what i gather from > quickly glancing over this thread is that this is going to be a Caja based > feature right? (as opposed to a JS based one that i was personally hoping > for :)). > > It'll be good to keep in mind that if a number of containers don't have > access to Caja (either they have a custom implementation such as some asian > sites have), or use the PHP version, this feature might render quite > different results on those containers, especially since the spec is quite > vague on what exactly it's supposed to do and what end result can be > expected. > > So before you go update the docs based on one implementation, keep that in > mind please :) (and take any doc / spec change proposals to the spec list > ofc, and not the shindig lists) > > -- Chris > > On Aug 14, 2008, at 5:49 AM, Brian Eaton wrote: > >> On Wed, Aug 13, 2008 at 6:02 PM, Jasvir Nagra <[EMAIL PROTECTED]> wrote: >>> >>> Sure, I can push a caja.jar that splits off the html-sanitizer >>> depended javascript out of domita-minified. I'm adopting the >>> following names: >>> >>> * domita-minified.js (domita+caja without html sanitizer) >>> * html-sanitizer-minified.js (html4-defs + css-defs + html-sanitizer) >> >> Sounds good. >> >>> Some features of html-sanitizer to be aware of... it expects and >>> outputs balanced set of tags. So it will ignore extraneous close tags >>> or insert closing tags are necessary. I can't find any documentation >>> on what sanitzeHTML is supposed to output other than that it is safe >>> to set innerHTML to. If the behaviour of html-sanitizer is >>> acceptable, it should probably be added to the documentation >>> somewhere. >> >> I'd rather leave the documentation vague so we have the freedom to >> change. For now, it's magic security dust. > >
