search

svnlabs / google-caja

Automatically exported from code.google.com/p/google-caja
0 stars 1 forks source link

r5218 broke GViz formatters #1778

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 

https://code.google.com/p/google-caja/source/detail?r=5218

This change disallowed HTML provided by guest code. That was in and of itself 
good, as it closed a security hole (arbitrary script execution by providing 
HTML data that is displayed un-sandboxed by GViz components).

Unfortunately, it did so by setting { allowHtml: false }, which means that the 
built-in GViz formatters, like ArrowFormat and BarFormat, which use HTML, no 
longer work.

There is no mechanism in GViz for saying, "Allow HTML from the built-in 
components, but do not allow HTML from the user-supplied data", which would be 
the policy that we would really want here.

Original issue reported on code.google.com by ihab.a...@gmail.com on 24 Jun 2013 at 8:04

GoogleCodeExporter commented 9 years ago

Original comment by kpreid@google.com on 8 Nov 2013 at 12:09

GoogleCodeExporter commented 9 years ago 
Ihab, if no one cares about this bug any longer, can you either lower its 
priority or close it? Otherwise, what is the current status? Thanks.

Original comment by erights on 15 Feb 2015 at 7:31