Once we render the load in the test file that we specified earlier in our example, we are presented with both a visual and source code comparison of the content, as shown in Figure 8-3.
Figure 8-3. The Caja rendering application
The original content loads our iframe,
div, and (when run) the
script block that we included to display a pop
up to the user. The original content raw dump is an unmodified version
of the loaded file.
The right column on the Caja side is a much different story. The
div are preserved in the rendered version, but
the iframe is stripped and a second alert is absent. When we look at the
raw content of the cajoled file, we can see why. The iframe and
script block have been removed from the file
that we attempted to load.
This is just a simple sanitization script from Caja, so although it presents a useful peek into the Caja process, it’s important to note that doesn’t represent the server-side cajoler’s full content manipulation capacity.