Contact [email protected] Explainerhttps://github.com/WICG/sanitizer-api/blob/main/explainer.md
Specificationhttps://wicg.github.io/sanitizer-api Summary The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. Blink componentBlink>SecurityFeature>SanitizerAPI <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ESanitizerAPI> Motivation User input sanitization is a necessary and common activity of many web applications, but it's difficult to get right. As a component of the web platform it's easier to harden the sanitizer implementation and keep it up-to-date. Offering a high-quality sanitizer with good defaults (without blocking developers from using their own, if they choose) would improve security, and make it more accessible. This follows previous attempts at establishing a Sanitizer API ( https://chromestatus.com/feature/5786893650231296), which we unshipped again (https://chromestatus.com/feature/5115076981293056). The specification has meanwhile progressed and we believe it's worth re-starting implementation work in Chrome/Chromium. The HTML group has labelled this spec as 'stage 2` ( https://github.com/whatwg/html/issues?q=is%3Aissue+is%3Aopen+label%3A%22stage%3A+2%22+) in the HTML stages process (https://whatwg.org/stages#stage2). Initial public proposalhttps://wicg.github.io/sanitizer-api/ TAG reviewhttps://github.com/w3ctag/design-reviews/issues/619 Risks Interoperability and Compatibility*Gecko*: Positive ( https://mozilla.github.io/standards-positions/#sanitizer-api) *WebKit*: Support (https://github.com/WebKit/standards-positions/issues/86) *Web developers*: No signals *Other signals*: HTML: stage 2. (https://github.com/whatwg/html/issues/7197) Security https://wicg.github.io/sanitizer-api/#security-considerations WebView application risks None (This modified Element.setHTMLUnsafe by adding a second parameter, but behaviour without that 2nd parameter should be identical.) Debuggability These APIs are readily accessible and testable using DevTools. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes WPT has a comprehensive test suite, in the sanitizer-api/ directory. However, the current directory contains a mix of old-API and new-API tests and needs more work. https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5814067399491584?gate=5134521213911040 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP0LBdNCieNydc6dfObByS2kCg1B2yvd6eZJHGTkW%2Bd-w%40mail.gmail.com.
