Google caja - block malicious code

Question

Google caja - block malicious code

I need secure html on my site.

I read though the caja manual, and I'm not sure if I understand conecpt.

https://developers.google.com/caja/docs/gettingstarted/

I think this happens as follows:

User sends malicious content to my db
I want to do it. Caja recognizes malicious code and blocks it.

But how to do it though caja? They do not explain this on their page, they only show how to replace the code.

<script type="text/javascript">
      document.getElementById('dynamicContent').innerHTML = 'Dynamic hello world';
</script>

Say our document will look like this

<body>
    <div class="input">
        <h3>User Input </h3>
        <script> alert("I am really bad!"); </script>
    </div>

    <div class="input">
        <h3>User Input </h3>
        <p> I am safe HTML!</p>
    </div>
</body>

How can I tell caja to block the script tag?

+1

javascript html security google-caja

Maik klein Sep 03 '12 at 20:29

source share

2 answers

, AntiSamy - .

https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#What_is_it.3F

0

Maik Klein 03 . '12 21:21

Jasvir · Accepted Answer · 2012-09-04T17:28:51+0000

html (.. script), Caja, html-sanitizer.

:

<script src="http://caja.appspot.com/html-css-sanitizer-minified.js"></script>
<script>
  var sanitized = html_sanitize(untrustedCode,
    /* optional */ function(url) { return url /* rewrite urls if needed */ },
    /* optional */ function(id) { return id; /* rewrite ids, names and classes if needed */ })
</script>

css, http://caja.appspot.com/html-sanitizer-minified.js.

Google caja - block malicious code

More articles: