Their list of typical attack vectors in ES3 is very eye opening: <a href="http://code.google.com/p/google-caja/wiki/AttackVectors" rel="nofollow">http://code.google.com/p/google-caja/wiki/AttackVectors</a>
<a href="http://code.google.com/p/google-caja/w/list?q=label:Attack-Vector" rel="nofollow">http://code.google.com/p/google-caja/w/list?q=label:Attack-V...</a><p>You can also easily play with the Valija and ES5/3 dialect here <a href="http://caja.appspot.com" rel="nofollow">http://caja.appspot.com</a>
This is so important for 'us', here on HN. Let me try to explain why:<p>Many here are building SaaS products, and with the SaaS landscape getting ever more crowded we see a lot of SaaS integrations emerge. Have a look at freshbooks for instance. Currently these integrations are usually implemented 'server-side': the server of one web app pulls data from another web app.
If we want to allow client-side integrations, that allows a JS plugin to be loaded from another app, the we need to keep security in mind (as this is on purpose cross-site-scripting). This Caja lib seems to provide proper measures to allow these kind of integrations.