Wednesday, August 13, 2014

Fwd: [Caja] Rich-text editors compatible with Caja



Sent from my iPhone

Begin forwarded message:

From: "'Kevin Reid' via Google Caja Discuss" <google-caja-discuss@googlegroups.com>
Date: August 13, 2014 at 13:17:43 EDT
To: Google Caja Discuss <google-caja-discuss@googlegroups.com>
Subject: Re: [Caja] Rich-text editors compatible with Caja
Reply-To: google-caja-discuss@googlegroups.com

On Tue, Aug 12, 2014 at 5:04 PM, Andrew Stillman <astillman@gmail.com> wrote:
Before I lose faith, can anyone comment on whether there a known or documented compatible rich text editor for Caja?

Unfortunately, most rich text editor components depend on the "contenteditable" browser feature, which is difficult if not impossible to support in a way which meets Caja's security requirements. You would have to use an editor which does not make use of contenteditable (perhaps, as MarkM suggested in another message, a markup editor with preview).



For the technically interested, the problem, as I understand it, is that contenteditable allows arbitrary HTML to be pasted into the document; that HTML can then attack the host page even if it was pasted into the guest. This does not mean that a guest could launch an attack by itself, but it could ask users to perform such an apparently-innocuous action as visiting another page ("try our templates!") and copying content from it.

(Don't take this as the final word; I wasn't present for the original decision and may not have the analysis right.)

I have a hypothesis that this could be mitigated by arranging to sanitize the content immediately after it is pasted, but I haven't tried this idea out to see if it even vaguely works.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.