Is the Google Caja safe JavaScript project still useful and being maintained?

Looking into Google Caja for XSS sanitization

Answer by A Quora admin:

As I have recently looked into the matter I have some information to share regarding Google Caja's relevancy.

It doesn't look very good

I will focus on the client-sided javascript sanitation support. It is used by including html-sanitizer.js (in /src/com/google/caja/plugin) from the project in your website and then call

html.sanitize()

on the strings you wish to make safe for inserting into DOM. The file uses two auxiliary script files (html4-defs.js and uri.js), which used to be included in the source code, but can now only be obtained by building the project using ant (allowing you to customize security policies in the form of json files). However, as the build uses UX specific scripts, it doesn't work in Windows and in May 24, 2013 it was not deemed a priority by the team.

The project however does include pre-build releases include pre-built releases, which include the aforementioned script files. However, the last release (r5127) was of November 6, 2012. The last SVN commit to the source file html-sanitizer.js was of August 28, 2013. So the source has not been updated very recently and the pre-build releases are even older. This means the only way to get a recent usable version of the html-santizer is to compile it yourself in a Linux environment.

But looks can be deceiving

All this being said, I still feel Google Caja is relevant in today's world. The Caja project as a whole is being maintained actively and the last commit was on December 15, 2014, which is less than a month ago at the date of writing this answer. Furthermore, it begs the question how quick and easily this project can be out of date, considering HTML has been a well established standard (or proposal) for a long time now and OWASP's XSS listings (one of several) have been developed into maturity for some time now. As Caja works by white-listing content, even changes in this space doesn't render Caja out of date per se. Only if existing white-listed elements behavior change in a new HTML version, say, an accepted attribute on an accepted element starts accepting scripting behavior, only then is Caja in trouble. What exactly is white-listed is an easy config change (unfortunately, which requires a custom build in Linux).

Personally, I used this in a major project recently to solve a known security issue. Our security department was happy with the solution including Caja.

Regarding AngularJS ngSanitize

A question that popped into my mind is: if Caja is maintained by Google and AngularJS developed by Google, why doesn't ngSanitize use Caja? It seems the AngularJS team reinvented the wheel. This does not bode well for Caja's relevancy, if Google itself doesn't use its own projects. That or they simply needed to be independent to be quick enough without depending on the Caja team. ngSantize however has been updated very recently as opposed to Caja's javascript sanitizer. On the other hand, ngSanitize exists on GitHub only since 2012 (and can't be older than Angular itself), while Caja has been developing it's sanitation procedures since 2006 and has had a lot of time to put the finishing touches while AngularJS was just getting born. I really can't tell which is more up-to-date.

Is the Google Caja safe JavaScript project still useful and being maintained?

Posted in Uncategorized | Leave a comment

Differences between service, factory and provider in AngularJs

The differences between a service, factory and provider are subtle.

It turns out that a service and factory are actually providers that differ in how they return a value. Let me just link the whole thing (credits go to Ben Clinkinbeard and Miško Hevery).

Services

Syntax: module.service( 'serviceName', function );
Result: When declaring serviceName as an injectable argument you will be provided with an instance of the function. In other words new FunctionYouPassedToService().

Factories

Syntax: module.factory( 'factoryName', function );
Result: When declaring factoryName as an injectable argument you will be provided with the value that is returned by invoking the function reference passed to module.factory.

Providers

Syntax: module.provider( 'providerName', function );
Result: When declaring providerName as an injectable argument you will be provided with new ProviderFunction().$get(). The constructor function is instantiated before the $get method is called – ProviderFunction is the function reference passed to module.provider.

Everything is a provider:

provider.service = function(name, Class) {
   provider.provide(name, function() {
      this.$get = function($injector) {
         return $injector.instantiate(Class);
      };
   });
}

provider.factory = function(name, factory) {
   provider.provide(name, function() {
      this.$get = function($injector) {
         return $injector.invoke(factory);
      };
   });
}

provider.value = function(name, value) {
   provider.factory(name, function() {
      return value;
   });
};
Posted in coding | Tagged , , , | Leave a comment

Managing resuable modules with components over separate files in AngularJs

Here’s a trick I’m using to easily define reusable components over multiple files, contained within a specific module (which will function as a collection of components).

First, know that calling angular.module('MyModule') references an existing module, whereas angular.module('MyModule', []) always creates a new one (overwriting the old one)! So this poses the question: Where do we create the generic module? The answer is: either you include a javascript file that does this, or you do it manually for each app.

For example, let’s define an MainApp module and a GenericComponents module, with components spread across files. Here’s one way to do that:

read on

Posted in coding | Tagged , , | Leave a comment

Advanced form control with AngularJS and Bootstrap3

Forms in angular are pretty straightforward once you know how to read its state. So let’s look at a collection of tricks and put together and complete working Bootstrap 3 form with fabulous form validation.

 

In this form:

  1. No validation while initially filling the form
  2. On submit: validate form and keep updating fields as they change
  3. Red and green colors indicate the user’s progress
  4. Once submitted invalid form, the submit button becomes available only once the form is valid
  5. Bootstrap 3 form style, including help text and custom tailored alerts for validation messages

read on

Posted in coding | Tagged , , | 7 Comments

Advanced form validation with AngularJS and filters

Here’s a neat little trick I discovered that let’s you do wildcard expression checks for an input value:

Wildcard expression validation that marks input valid / invalid

read on

Posted in coding | Tagged , | Leave a comment

Angularjs: sharing state between directives and their controllers

The thing with directives, controllers, scope, link and compile is: they all share keywords and concepts. This puts so much trees in front of the forest, that until you’re clear on the individual underlying concepts you have no hope of understanding the abstractions made on top of it. And so it took me a long time to understand how I can make directives/controllers share state, even if they’re not nested.

That last part is important, because in essence, you can’t share data unless you also share an ancestor. The only exception to this is if you’re using decoupled communication through events and eventlisteners.

The example we’re not doing today

Ok, let’s dive into today’s problem we’re not solving: A form with several inputs, and each one have a tooltip, except the tooltip should be displayed on a specific location, the same for all inputs. Like an information box… in fact it’s not a tooltip at all.

simple inputform with text hint

read on

Posted in coding | Tagged , | 2 Comments

Fixing liquibase logging (in Spring) with SLF4J and Log4J

It took me awhile to figure it out, but I figured out how to run the liquibase logging through slf4j/log4j/logback etc, for Liquibase 3.0.8. There’s an easy way and a hard way. The easy way is just the hard way pre-packaged as a jar for you. You’ll understand.

The easy way

Drop in a jar called liquibase-slf4j, by Matt Bertolini, and configure its class logging through slf4j instead. In my case I’m using slf4j-log4j12 on top of that so I configure everything log4j style (make sure you have log4j on your classpath!).

<!-- your own standard logging dependencies -->
<dependency>
	<groupId>org.slf4j</groupId>
	<artifactId>slf4j-api</artifactId>
	<version>1.7.5</version>
</dependency>
<dependency>
	<groupId>org.slf4j</groupId>
	<artifactId>slf4j-log4j12</artifactId>
	<version>1.7.5</version>
</dependency>

<!-- special dependency to fix liquibase's logging fetish -->
<dependency>
	<groupId>com.mattbertolini</groupId>
	<artifactId>liquibase-slf4j</artifactId>
	<version>1.2.1</version>
</dependency>

read on

Posted in coding, open source | Tagged , , , , | 1 Comment

Enhancing $log in AngularJs the simple way

Let’s start by prepending timestamp and class name

Recently I’ve been on the lookout for a way to configure Angular’s logging module. Specifically, I wanted its output prepended with a date and a context string, say a ‘class’ name or name of the controller doing the logging.

Something like this (example from java):
"2013-12-23 19:44:39,619 INFO [java.sql.DatabaseMetaData]: Table not found: Employees"

Also, if we enable per-class loggers, how can we mute logging for certain classes?

What I found was a rather… extensive a solution utilizing Angular’s built in support for decorators. Ofcourse, the fact it actually works is great and it’s a nice insight into some advanced javascript and Angular concepts (I especially found the requirejs / angular combo of interest), but I think it can be much much simpler.

read on

Posted in coding | Tagged , , | 2 Comments

Ways to sort lists of objects in Java based on multiple fields

As I was again trying to remember how to sort a list of objects in Java bases on multiple keys, I had the luminous idea to finally write it down.

We have a list of pizza’s, and I want them sorted according to size, number of toppings and furthermore by name. This means that there will be groups ordered by size and within those groups the pizza’s are ordered into groups by number of toppings and in those groups the pizza’s are ordered by name.

We want to end up with a list like this:

  1. Pizza’s 34cm:
  2. Anchovy (34cm, tomato, cheese, Anchovies)
  3. Prosciutto (34cm, tomato, cheese and ham)
  4. Chicken Special (34cm, tomato, cheese, chicken and turkey pieces)
  5. Vulcano (34cm, tomato, cheese, mushrooms and ham)
  6. Peperone (34cm, tomato, cheese, mushrooms, ham, capsicum, chili peppers and onions)
  7. Pizza’s 30cm:
  8. Anchovy (30cm, tomato, cheese, Anchovies)
  9. Prosciutto (30cm, tomato, cheese and ham)
  10. Chicken Special (30cm, tomato, cheese, chicken and turkey pieces)
  11. Vulcano (30cm, tomato, cheese, mushrooms and ham)
  12. Peperone (30cm, tomato, cheese, mushrooms, ham, capsicum, chili peppers and onions)
  13. Pizza’s 26cm:
  14. Anchovy (26cm, tomato, cheese, Anchovies)
  15. Prosciutto (26cm, tomato, cheese and ham)
  16. Chicken Special (26cm, tomato, cheese, chicken and turkey pieces)
  17. Vulcano (26cm, tomato, cheese, mushrooms and ham)
  18. Peperone (26cm, tomato, cheese, mushrooms, ham, capsicum, chili peppers and onions)

read on

Posted in coding | Tagged , , | Leave a comment

Simple Java Mail 1.9 is now available in Maven Central

I hadn’t gotten around to putting Simple Java Mail into Maven Central due to the complexities of going through Sonatype first. But now it is done: Simple Java Mail v1.9 now resides in Maven Central and can be included in your project using the following dependency:

read on

Posted in mailing, open source | Tagged | Leave a comment