--0016368e1c2baabbb204714bb313
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

For what it's worth we're using Johnson for something similar, the intent
isn't so much to prevent maliciousness but to allow multiple scripts from
different 3rd party developers running in the same environment without
worrying about clashing variable or function names.

We previously used RKelly but moved to Johnson because it facilitated us
actually testing the compiled scripts by executing them.

On Sun, Aug 16, 2009 at 3:06 PM, Mongoose Sir mongoose <mongoosehq / gmail.com
> wrote:

> @pharrington - thanks for the pointer on Hpricot/Nokogirl.  I'm familiar
> with Hpricot but will have to take a look at Nokogirl.
>
> Aaron - Thanks.  I'll take a look at those.  Think I'm getting in over
> my head here, but should be fun times.
>
> Fabian -
>
> The whole point of the website is to allow third-party developers to
> display HTML inside of a little content area within the site.  (Not
> unlike certain large social networking site's Apps feature)
>
> One approach I've seen is namespacing all css IDs with some kind of
> application id or something.
>
> So,
>
> $('#foo-alert').html('You just won a prize!');
> ...would have to become
> $('#app_1234567_foo-alert').html('You just won a prize!');
>
> If they broke out of their content area and started manipulating the DOM
> on other parts of the page, this wouldn't even be the end of the world.
> (they'd eventually get caught & banned)
>
> I'm more concerned about malicious things they could do to the end-user,
> e.g. cookie theft.
>
> It sounds like a whitelist is the reasonable approach here.
>
> Cheers,
> - Sean
> --
> Posted via http://www.ruby-forum.com/.
>
>


-- 
Tony Arcieri
Medioh/Nagravision

--0016368e1c2baabbb204714bb313--