Login/Register
Google caja - Block malicious code
Asked Answered
Solved javascripthtmlsecuritygoogle-caja
L

2

1

I need safe html on my website.

I read though the caja guide and I am not sure if I understand the conecpt.

https://developers.google.com/caja/docs/gettingstarted/

I think it goes like this:

  • User submits malicious content to my db
  • I want to render it. Caja recognizes the malicious code and blocks it.

But how do I render it though caja? They don't explain this on their page, they only show how to replace the code.

<script type="text/javascript">
      document.getElementById('dynamicContent').innerHTML = 'Dynamic hello world';
</script>

Let's say our document would look like this

<body>
    <div class="input">
        <h3>User Input </h3>
        <script> alert("I am really bad!"); </script>
    </div>

    <div class="input">
        <h3>User Input </h3>
        <p> I am safe HTML!</p>
    </div>
</body>

How would I tell caja to block the script tag?

Linolinocut answered 3/9, 2012 at 20:29 Comment(1)
Caja is a suite of tools that do different things. Do you want to block all third-party javascript, or make it safe to run the third-party javascript? The page you linked to is for making it safe. To block it, you'd want the HTML sanitizer: code.google.com/p/google-caja/wiki/JsHtmlSanitizerLather
S
12

If you want to have just sanitized html (ie. no script execution at all), you don't need all of Caja, just the html-sanitizer.

To use:

<script src="http://caja.appspot.com/html-css-sanitizer-minified.js"></script>
<script>
  var sanitized = html_sanitize(untrustedCode,
    /* optional */ function(url) { return url /* rewrite urls if needed */ },
    /* optional */ function(id) { return id; /* rewrite ids, names and classes if needed */ })
</script>

If you don't want to allow sanitized css styles, use http://caja.appspot.com/html-sanitizer-minified.js instead.

Stephanistephania answered 4/9, 2012 at 17:28 Comment(0)
L
0

In my opinion AntiSamy is a much better approach.

https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#What_is_it.3F

And it is really straightforward

Linolinocut answered 3/9, 2012 at 21:21 Comment(3)
Why do you feel AntiSamy is better than html_sanitize?Lather
Because this way I can prevent to have malicious code in my db. If I am correct caja filters the code while rendering? Not 100% sure about this. + I don't need an additional .js file. Just my opinion and don't have too much knowledge to be honest. AntiSamy just works for me.Linolinocut
OK, so for your problem it probably is better. As I said, Caja is a suite of tools. html_sanitizer is a client-side library for taking a javascript string str and making it safe to say div.innerHTML = str. Caja also provides a library caja.js that creates a "better iframe" in which you can put user code and it will run, but won't have access to things like your cookies and won't be able to redirect the page, etc.Lather

© 2022 - 2024 — McMap. All rights reserved.