javascript - Google caja - Block malicious code - Stack Overflow

admin管理员组

文章数量:1356253

I need safe html on my website.

I read though the caja guide and I am not sure if I understand the conecpt.

/

I think it goes like this:

• User submits malicious content to my db
• I want to render it. Caja recognizes the malicious code and blocks it.

But how do I render it though caja? They don't explain this on their page, they only show how to replace the code.

<script type="text/javascript">
      document.getElementById('dynamicContent').innerHTML = 'Dynamic hello world';
</script>

Let's say our document would look like this

<body>
    <div class="input">
        <h3>User Input </h3>
        <script> alert("I am really bad!"); </script>
    </div>

    <div class="input">
        <h3>User Input </h3>
        <p> I am safe HTML!</p>
    </div>
</body>

How would I tell caja to block the script tag?

I need safe html on my website.

I read though the caja guide and I am not sure if I understand the conecpt.

https://developers.google./caja/docs/gettingstarted/

I think it goes like this:

• User submits malicious content to my db
• I want to render it. Caja recognizes the malicious code and blocks it.

But how do I render it though caja? They don't explain this on their page, they only show how to replace the code.

<script type="text/javascript">
      document.getElementById('dynamicContent').innerHTML = 'Dynamic hello world';
</script>

Let's say our document would look like this

<body>
    <div class="input">
        <h3>User Input </h3>
        <script> alert("I am really bad!"); </script>
    </div>

    <div class="input">
        <h3>User Input </h3>
        <p> I am safe HTML!</p>
    </div>
</body>

How would I tell caja to block the script tag?

• javascript
• html
• security
• google-caja

Share Improve this question Follow edited Sep 3, 2012 at 20:30 Roddy of the Frozen Peas 15.3k1010 gold badges5959 silver badges106106 bronze badges asked Sep 3, 2012 at 20:29 Maik KleinMaik Klein 16.2k2929 gold badges109109 silver badges204204 bronze badges 1

• Caja is a suite of tools that do different things. Do you want to block all third-party javascript, or make it safe to run the third-party javascript? The page you linked to is for making it safe. To block it, you'd want the HTML sanitizer: code.google./p/google-caja/wiki/JsHtmlSanitizer – Mike Stay Commented Sep 4, 2012 at 17:43

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 12

If you want to have just sanitized html (ie. no script execution at all), you don't need all of Caja, just the html-sanitizer.

To use:

<script src="http://caja.appspot./html-css-sanitizer-minified.js"></script>
<script>
  var sanitized = html_sanitize(untrustedCode,
    /* optional */ function(url) { return url /* rewrite urls if needed */ },
    /* optional */ function(id) { return id; /* rewrite ids, names and classes if needed */ })
</script>

If you don't want to allow sanitized css styles, use http://caja.appspot./html-sanitizer-minified.js instead.

In my opinion AntiSamy is a much better approach.

https://www.owasp/index.php/Category:OWASP_AntiSamy_Project#What_is_it.3F

And it is really straightforward

本文标签： javascriptGoogle cajaBlock malicious codeStack Overflow