Intent to Prototype: Sanitizer API
Daniel Vogelheim
Contact emails
voge...@chromium.orgExplainer
https://github.com/WICG/sanitizer-api/blob/main/explainer.mdSpecification
https://wicg.github.io/sanitizer-apiSummary
The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications.
Blink component
Blink>SecurityFeature>SanitizerAPIMotivation
User input sanitization is a necessary and common activity of many web applications, but it's difficult to get right. As a component of the web platform it's easier to harden the sanitizer implementation and keep it up-to-date. Offering a high-quality sanitizer with good defaults (without blocking developers from using their own, if they choose) would improve security, and make it more accessible.
This follows previous attempts at establishing a Sanitizer API (https://chromestatus.com/feature/5786893650231296), which we unshipped again (https://chromestatus.com/feature/5115076981293056). The specification has meanwhile progressed and we believe it's worth re-starting implementation work in Chrome/Chromium. The HTML group has labelled this spec as 'stage 2` (https://github.com/whatwg/html/issues?q=is%3Aissue+is%3Aopen+label%3A%22stage%3A+2%22+) in the HTML stages process (https://whatwg.org/stages#stage2).
Initial public proposal
https://wicg.github.io/sanitizer-api/TAG review
https://github.com/w3ctag/design-reviews/issues/619Risks
Interoperability and Compatibility
Gecko: Positive (https://mozilla.github.io/standards-positions/#sanitizer-api)WebKit: Support (https://github.com/WebKit/standards-positions/issues/86)
Web developers: No signals
Other signals: HTML: stage 2. (https://github.com/whatwg/html/issues/7197)
Security
https://wicg.github.io/sanitizer-api/#security-considerations
WebView application risks
None (This modified Element.setHTMLUnsafe by adding a second parameter, but behaviour without that 2nd parameter should be identical.)
Debuggability
These APIs are readily accessible and testable using DevTools.
Is this feature fully tested by web-platform-tests?
YesWPT has a comprehensive test suite, in the sanitizer-api/ directory. However, the current directory contains a mix of old-API and new-API tests and needs more work. https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned