This change disallowed HTML provided by guest code. That was in and of itself good, as it closed a security hole (arbitrary script execution by providing HTML data that is displayed un-sandboxed by GViz components).
Unfortunately, it did so by setting { allowHtml: false }, which means that the built-in GViz formatters, like ArrowFormat and BarFormat, which use HTML, no longer work.
There is no mechanism in GViz for saying, "Allow HTML from the built-in components, but do not allow HTML from the user-supplied data", which would be the policy that we would really want here.
kpreid
commented
9 years ago
Original issue 1778 created by ihab.awad on 2013-06-24T20:04:43.000Z:
https://code.google.com/p/google-caja/source/detail?r=5218
This change disallowed HTML provided by guest code. That was in and of itself good, as it closed a security hole (arbitrary script execution by providing HTML data that is displayed un-sandboxed by GViz components).
Unfortunately, it did so by setting { allowHtml: false }, which means that the built-in GViz formatters, like ArrowFormat and BarFormat, which use HTML, no longer work.
There is no mechanism in GViz for saying, "Allow HTML from the built-in components, but do not allow HTML from the user-supplied data", which would be the policy that we would really want here.