The gadgets.util library should include a simple function to sanitize
arbitrary text into a subset of HTML that cannot execute script.
/**
* Sanitizes a text string. The returned value is safe to assign to innerHTML.
* The returned value may include HTML tags. If plain text is desired, use
* gadgets.util.escapeString instead.
*
* @param {String} text arbitrary text string
* @return {String} a sanitized version that may include HTML tags,
but will not execute script.
*/
function gadgets.util.sanitizeHtml(text) {
...
}
I'm not sure. =)
I think the function should allow as many tags and attributes as
possible without permitting any kind of javascript/flash/applet/other
active content to sneak in. The Caja HTML sanitizer seems like it
should provide a baseline for this.
I don't think the spec should include a list of specific tags and
attributes, that would restrict our ability to expand tag whitelists
in the future.