spec proposal: HTML sanitizer

0 views
Skip to first unread message

Brian Eaton

unread,
Apr 19, 2008, 11:47:09 AM4/19/08
to opensocial-an...@googlegroups.com
This has come up a few times, but I don't think anyone has proposed it
yet for opensocial-0.8.

The gadgets.util library should include a simple function to sanitize
arbitrary text into a subset of HTML that cannot execute script.

/**
* Sanitizes a text string. The returned value is safe to assign to innerHTML.
* The returned value may include HTML tags. If plain text is desired, use
* gadgets.util.escapeString instead.
*
* @param {String} text arbitrary text string
* @return {String} a sanitized version that may include HTML tags,
but will not execute script.
*/
function gadgets.util.sanitizeHtml(text) {
...
}

Zhen Wang

unread,
Apr 19, 2008, 8:34:44 PM4/19/08
to opensocial-an...@googlegroups.com
What specific HTML tags are whitelisted by this function?

Brian Eaton

unread,
Apr 20, 2008, 1:11:31 AM4/20/08
to opensocial-an...@googlegroups.com
On Sat, Apr 19, 2008 at 5:34 PM, Zhen Wang <wa...@google.com> wrote:
> What specific HTML tags are whitelisted by this function?

I'm not sure. =)

I think the function should allow as many tags and attributes as
possible without permitting any kind of javascript/flash/applet/other
active content to sneak in. The Caja HTML sanitizer seems like it
should provide a baseline for this.

I don't think the spec should include a list of specific tags and
attributes, that would restrict our ability to expand tag whitelists
in the future.

Kevin Brown

unread,
Apr 25, 2008, 1:12:14 AM4/25/08
to opensocial-an...@googlegroups.com
+ 1

I'll add that we shouldn't just be using caja as a reference point, we should be ensuring compatibility with it. If we're only filtering "bad" stuff, legitimate impact will be slight, and good documentation on what the function filters will let legitimate uses of "bad" stuff can work around it by doing an escape / filter / unescape routine.

Michael Mahemoff

unread,
Apr 25, 2008, 7:12:36 AM4/25/08
to opensocial-an...@googlegroups.com
+1

Very useful for inter-user messaging and the like. Ideal would be for the function to include a parameter to further constrain the list of possible tags/attribs.

Cassie

unread,
Apr 25, 2008, 7:39:04 AM4/25/08
to opensocial-an...@googlegroups.com, Louis Ryan, Zhen Wang
Okay so Brian, Kevin and Michael are for this. (= 3 votes)

Adding Louis because he was looking for this in another thread.
Adding Zhen so that he can say whether his question was resolved by Brian's answer.

- Cassie

Lane LiaBraaten

unread,
Apr 25, 2008, 12:43:45 PM4/25/08
to opensocial-an...@googlegroups.com, Louis Ryan, Zhen Wang
+1

Graham Spencer

unread,
Apr 25, 2008, 12:49:32 PM4/25/08
to opensocial-an...@googlegroups.com, Louis Ryan, Zhen Wang
+1

Kevin Marks

unread,
Apr 25, 2008, 1:19:57 PM4/25/08
to opensocial-an...@googlegroups.com
+1
In fact I'd support even more strongly Graham's safeSetInnerHTML - ie fixing this problem at the point of vulnerability, rather than trying to guess which other sources of strings might eventually end up in the page and playing whack-a-mole on them.

Cassie

unread,
Apr 27, 2008, 7:17:47 PM4/27/08
to opensocial-an...@googlegroups.com
spec approved.
thanks.

- cassie
Reply all
Reply to author
Forward
0 new messages