Link sharing - Google Caja HTML Sanitizer

Question

I'm trying to tackle the classic "user input sanitisation" problem on my new web app and I chose to use Google Caja's HTML Sanitizer server-side for this task.

Although the implementation + testing went fine, I still have some questions :

• 1) I could only find the HTML4 definitions, does this mean that HTML5 tags wouldn't be safe ?

I did some tests with HTML 5 specific tag / attribute XSS's and although none of them worked I'm not 100% sure that some untested ones wouldn't work.

• 2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?

• 3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)

• 4) How does Caja handle Unicode ?

Thank you in advance !

Answer 1

1) I could only find the HTML4 definitions, does this mean that HTML5 tags wouldn't be safe ?

We have added HTML5 support in the past few months. Please let us know if anything is missing.

2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?

Are you perhaps looking in the wrong place? We're quite busy, as you can see here.

3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)

You can supply a URI policy which permits or rejects outgoing links.

4) How does Caja handle Unicode ?

Correctly, I should hope. If things don't work, please file a bug.