I had the same issue some days ago, this happens because the UrlPolicy is not configured, this was the response of Jasvir. --- Easily fixed.
URIs are handled in Caja by the UriPolicy (http://code.google.com/p/google-caja/wiki/UriPolicy). There are two places where UriPolicies are implemented - in the cajoler, by implementing com.google.caja.plugin.UriPolicy and as the second argument to attachDocumentStub when you configure the container. I believe your attachDocumentStub setup looks like this: attachDocumentStub('-g___', { rewrite: function(url, mime){ return null; } }, imports, gadgetRoot); The rewrite function above drops all URLs. If it instead rewrote the url to point at your proxy which strips headers and mitigates known buffer overflow attacks via images, video and other media, then those urls would be allowed. I am not familiar with the php version of Shindig, but gadgets.io.getProxyUrl(url) may already do everything you need. This was the recommended function by Jasvir for my case: var uriCallback = { rewrite: function rewrite(uri, mimeTypes) { uri = String(uri); // Allow references to anchors within the gadget if (/^#/.test(uri)) { return '#' + uri.substring(1); } // Proxy all other dynamically constructed urls return gadgets.io.getProxyUrl(uri); I hope it is helpful regards On Mon, Jan 31, 2011 at 5:48 PM, Wenjun Che <[email protected]> wrote: > I have been testing with Caja in Shindig 2.0 and noticed src attribute is > being removed from <img> tag when it is added from innerHTML. > Is it possible to configure client side sanitization to preserve src > attribute? > > I am running the downloaded war file as it is, and seeing this behavior in > samplecontainer. > > Any help is greatly appreciated. > > Thanks in advance. > -- Ing. Casiva Agustin Mail/Msn/GTalk/Jabber: [email protected] Skype: casivaagustin CEL : 054-03722-15270639 Site: http://www.casivaagustin.com.ar
