Move whitelists out of java into configuration files #50
Comments
|
Comment #1 originally posted by mikesamuel on 2008-01-30T04:20:36.000Z: I can certainly add one. Can you think of an example that I might add to the spec? I was thinking of reworking the format to be JSON based instead of XML. Mark pointed |
|
Comment #2 originally posted by mikesamuel on 2008-02-06T22:46:32.000Z: There don't seem to be any objections to JSON based format, so I'm going to work on |
|
Comment #3 originally posted by erights on 2008-02-14T02:51:54.000Z: Based on an over-the-shoulder inspection, LGTM |
|
Comment #4 originally posted by erights on 2008-02-14T02:52:56.000Z: Oops. Ignore my comment. It was actually intended for a different issue. |
|
Comment #5 originally posted by justin.kruger on 2008-03-03T19:33:38.000Z: can we also add allowfullscreen? |
|
Comment #6 originally posted by mikesamuel on 2008-03-03T21:45:39.000Z: You can add whatever you like. See |
|
Comment #7 originally posted by mikesamuel on 2008-03-13T04:05:56.000Z: <empty> |
|
Comment #8 originally posted by Lisaedward.123 on 2013-08-12T04:51:11.000Z: This is really useful information. Thanks for sharing this article. |
|
Comment #9 originally posted by Lisaedward.123 on 2013-08-12T04:54:14.000Z: This is really useful information. Thanks for sharing this article. |
|
Comment #10 originally posted by Lisaedward.123 on 2013-08-12T04:54:52.000Z: This is really useful information. Thanks for sharing this article. |
|
Comment #11 originally posted by Evergreen10001 on 2013-08-13T06:26:30.000Z: Thanks for sharing. This is really nice. |
Original issue 50 created by mikesamuel on 2008-01-29T01:04:17.000Z:
Background
HtmlWhitelist.java and Css2.java include definitions of HTML tags, HTML
attributes, CSS properties, and CSS functions.
Goal
Allow clients to add items to whitelists. Some clients have prior
validation stages that guarantee that certain unsafe tags are really safe,
and want to allow some proprietary (-moz-*) CSS properties.
Examples:
<!-- Add <object> to the set of allowed HTML tags. -->
<whitelist id="urn://com/google/caja/html/tags">
<inherit class="urn:com.google.caja.plugin.HtmlWhitelist$Tags"/>
<allow item="object"/>
</whitelist>
<!-- Add allowScriptAccess to the set of allowed HTML attributes. -->
<whitelist id="urn://com/google/caja/html/attributes">
<inherit class="urn:com.google.caja.plugin.HtmlWhitelist$Attributes"/>
<allow item="allowscriptaccess"/>
</whitelist>
<!-- Add a definition of a CSS property. -->
<whitelist id="urn://com/google/caja/css/properties">
<inherit class="urn:com.google.caja.plugin.CssWhitelist$Properties"/>
<allow item="-moz-background-origin">
<![CDATA[ <background-origin> | inherit ]]>
</allow>
<define symbol="background-origin">
content | border | padding
</define>
</whitelist>
<!-- Replace the existing HTML whitelist that only allows
<b> and <p> tags. -->
<whitelist id="urn://com/google/caja/html/tags">
<!-- No <inherit>. -->
<allow item="b"/>
<allow item="p"/>
</whitelist>
Schema:
<!ELEMENT whitelist (inherit_, (allow|define)_)>
<!ATTLIST whitelist id %urn; #REQUIRED>
<!ELEMENT inherit NONE>
<!ATTLIST inherit id %urn; #REQUIRED>
<!ELEMENT allow (#PCDATA)>
<!ATTLIST allow item CDATA #REQUIRED>
<!ELEMENT define (#PCDATA)>
<!ATTLIST define symbol CDATA #REQUIRED>
The text was updated successfully, but these errors were encountered: