I'm trying to tackle the classic "user input sanitisation" problem on my new web app and I chose to use Google Caja's HTML Sanitizer server-side for this task.
Although the implementation + testing went fine, I still have some questions :
I did some tests with HTML 5 specific tag / attribute XSS's and although none of them worked I'm not 100% sure that some untested ones wouldn't work.
2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?
3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)
4) How does Caja handle Unicode ?
Thank you in advance !
1) I could only find the HTML4 definitions, does this mean that HTML5 tags wouldn't be safe ?
We have added HTML5 support in the past few months. Please let us know if anything is missing.
2) Google Caja doesn't seem too active anymore, would this constitute a security issue ?
Are you perhaps looking in the wrong place? We're quite busy, as you can see here.
3) I want my users to be able to share links, how would I be able to do this in a safe way that passes Google Caja's filters ? (like StackOverflow)
You can supply a URI policy which permits or rejects outgoing links.
4) How does Caja handle Unicode ?
Correctly, I should hope. If things don't work, please file a bug.