google-apps-scriptweb-applicationsgoogle-code-prettifygoogle-caja

Why does caja sanitization of Google Apps Script htmloutput fail on particular strings

I am trying to prepare GAS code samples for embedding in Google Sites and other web sites. I use the HtmlService.createHtmlOutput and HtmlService.createTemplateFromFile() and template.evaluate().getContent() to serve up an html version of the content of a google apps script. That all works fine as per this post.

Now I would like to prettify the code using prettyify.js. Im using the version embedded in caja and it almost works. However particular method names in the code being prettified throw an error from htmlservice.

Untaming of guest constructed objects objects unsupported. Expect a function not a string : pln

Specifically, this text is successfully prettified, 

function xisItHtml (e) {
  return ( e.parameter.hasOwnPropertu('template')) ;
}

whereas this throws an error

function xisItHtml (e) {
  return ( e.parameter.hasOwnProperty('template')) ;
}

It seems that specific methods (strange because none of this code is being executed, just prettified), cause caja sanitation to complain.

The code in the template is just this

$(document).ready(function () {
 // any jQueryness can happen here...
  try { 
    prettyPrint();
  }
  catch(err) {
    alert("failed prettification " + err);
  }
});

I'm pretty much stumped. any ideas?

Solution

  • So it seems that there is a failure when you insert a prettified piece of text containing .toString() or .hasOwnProperty() into an htmloutput in GAS. I couldn't find any other text that caused problems but there may be more. My hack was just to change the text before prettification and change it back later. 

    $(document).ready(function () {
   // any jQueryness can happen here...
    var thingsThatScrewUp = [ 'toString', 'hasOwnProperty'],t;

    $('.pretty').each( function(i,elem) {
       var c = $(elem).text() ;
       // disguise
       for (var i = 0 ; i < thingsThatScrewUp.length ; i++ ) {
        c = c.replace(new RegExp("." + thingsThatScrewUp[i], 'g'),".sandw_" + i + "_ch");
       }
       try {
         t = prettyPrintOne(c);
       }
       catch (err) {
        $('#report').html(err + c);
       }
       // undisguise
       for (var i = 0 ; i < thingsThatScrewUp.length ; i++ ) {
         t = t.replace(new RegExp("sandw_" + i + "_ch", 'g'),thingsThatScrewUp[i]);
       }
       $(elem).html("<pre class='code pretty prettyprint'>" + t + "</pre>");
      });
      $('#working').html('Module:');
  });

    Here's a Working version