Hi Caja developers
I'm trying to build Caja so that html_sanitizer_minified.js allows
target='_blank' and the new HTML5 data attribute.
How can I do that? -- Actually it seems to me that it is not even supposed to work right now? (Correct?)
When I read `function sanitizeAttribs(...)` in file ./ant-lib/com/google/caja/plugin/html-sanitizer.js
it seems that there's no way any `target` or `data` attributes could slip by? (They'd all be removed?)
However, the `.json` rules allows target='_blank':
1. 'target' is whitelisted, on line 203 in html4-attributes-whitelist.json, here:
2. and the value '_blank' is allowed? On line 18 in html4-attributes.json, here:
I'm very confused that / why html_sanitizer_minified.js seems to work in a very different manner from the rest of Caja?
(Why does it? Is it / should it perhaps be documented somewhere?)
(( I thought that the `.json` rules were compiled into the html-sanitizer.js files?
However;
1 When I search for _blank' in the build output dir, like so:
grep -Ir '_blank' ./ant-lib
then only some "domado.js" and "caja-flash.js" and "es53-taming-frame.js" files match. But none of the Javascript sanitizer files, which makes me very confused, since I thought the rules in the `.json` files were being compiled into the Javascript sanitizer files.
and however,
2: even if there was any rule, sanitizeAttribs wouldn't care about it? sanitizeAttribs only allows attributes similar to styles, ids, classes and uris ?))
Best regards, KajMagnus