Why doesn't html_sanitizer_minified.js allow target='_blank' and html5 data attrs?

46 views
Skip to first unread message

Kaj Magnus Lindberg

unread,
May 28, 2012, 10:50:02 AM5/28/12
to google-ca...@googlegroups.com
Hi Caja developers

I'm trying to build Caja so that html_sanitizer_minified.js allows
target='_blank' and the new HTML5 data attribute.

How can I do that? -- Actually it seems to me that it is not even supposed to work right now? (Correct?)

When I read  `function sanitizeAttribs(...)` in file ./ant-lib/com/google/caja/plugin/html-sanitizer.js
it seems that there's no way any `target` or `data` attributes could slip by? (They'd all be removed?)

However, the `.json` rules allows target='_blank':
1. 'target' is whitelisted, on line 203 in html4-attributes-whitelist.json, here:
2. and the value '_blank' is allowed? On line 18 in html4-attributes.json, here:


I'm very confused that / why  html_sanitizer_minified.js  seems to work in a very different manner from the rest of Caja?
(Why does it? Is it / should it perhaps be documented somewhere?)

(( I thought that the `.json` rules were compiled into the html-sanitizer.js files?
However;
1 When I search for _blank' in the build output dir, like so:
 grep -Ir '_blank' ./ant-lib
then only some "domado.js" and "caja-flash.js" and "es53-taming-frame.js" files match. But none of the Javascript sanitizer files, which makes me very confused, since I thought the rules in the `.json` files were being compiled into the Javascript sanitizer files.
and however,
2: even if there was any rule, sanitizeAttribs wouldn't care about it? sanitizeAttribs only allows attributes similar to styles, ids, classes and uris  ?))


Best regards, KajMagnus

Kaj Magnus Lindberg

unread,
May 29, 2012, 4:54:50 AM5/29/12
to google-ca...@googlegroups.com
Hi again!

Now I've made the sanitizer work, in my particular case:

1.  To allow data attributes, one can do something like this:  (after having loading the sanitizer script)
  html4.ATTRIBS['*::data'] = html4.atype['NONE']:

and then all data attrs will be allowed always, by sanitizeAttribs(..) and elsewher.

2.  I modified sanitizeAttribs(..), like so:

  function sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy) {
    for (var i = 0; i < attribs.length; i += 2) {
      var attribName = attribs[i];
      var value = attribs[i + 1];
      ...
      if (attribName === '...' && value === '...') {      <--- hack
        // Allow (don't clear value).
      } else if (atype !== null) {
        switch (atype) {
        ...


Best regards, KajMagnus
Reply all
Reply to author
Forward
0 new messages