链接共享 - Google Caja HTML Sanitizer [英] Link sharing - Google Caja HTML Sanitizer
问题描述
我正在尝试在我的新网络应用中解决经典的用户输入消毒问题,我选择使用Google Caja的HTML Sanitizer服务器端来完成此任务。
I'm trying to tackle the classic "user input sanitisation" problem on my new web app and I chose to use Google Caja's HTML Sanitizer server-side for this task.
虽然实施+测试没问题,但我还是有一些问题:
Although the implementation + testing went fine, I still have some questions :
- 1)我只能找到HTML4定义,是吗?这意味着HTML5标签不安全吗?
我使用HTML 5特定标签/属性XSS进行了一些测试,尽管没有他们工作我不是100%确定一些未经测试的人不会工作。
I did some tests with HTML 5 specific tag / attribute XSS's and although none of them worked I'm not 100% sure that some untested ones wouldn't work.
-
2)Google Caja没有似乎太活跃了,这会构成安全问题吗?
2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?
3)我希望我的用户能够分享链接,我怎么能做到这是以安全的方式通过谷歌Caja的过滤器? (比如StackOverflow)
3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)
4)Caja如何处理Unicode? p>
4) How does Caja handle Unicode ?
提前谢谢你!
推荐答案
1)我只能找到HTML4定义,这是否意味着HTML5标签不安全?
1) I could only find the HTML4 definitions, does this mean that HTML5 tags wouldn't be safe ?
我们在过去几个月内添加了HTML5支持。如果遗漏任何内容,请告诉我们。
We have added HTML5 support in the past few months. Please let us know if anything is missing.
2)Google Caja似乎不再太活跃了,这会构成安全问题吗?
2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?
您是否正在寻找错误的地方? 我们很忙,你可以在这里看到。
Are you perhaps looking in the wrong place? We're quite busy, as you can see here.
3)我希望我的用户能够共享链接,我怎么能以安全的方式通过Google Caja的过滤器? (如StackOverflow)
3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)
您可以提供允许或拒绝外发链接的URI策略。
You can supply a URI policy which permits or rejects outgoing links.
4)Caja如何处理Unicode? p>
正确地说,我希望如此。如果不起作用,请提交错误。
Correctly, I should hope. If things don't work, please file a bug.
这篇关于链接共享 - Google Caja HTML Sanitizer的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!