To address this vulnerability, we used a JavaScript sanitizing library called Caja [38], which allows third-party scripts to be executed by the same JavaScript runtime environment as the framework code, but in sandbox mode, with restrictions defined within the host script.