Contact emailsvoge...@chromium.org, mk...@chromium.org, l...@chromium.org
The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform.
This is the initial "MVP". This implements the current spec except for two features, the .sanitize and .sanitizeFor methods on the Sanitizer object, in order to leave room for more discussion. Our intent is to add the missing features once the discussion has run its course. In all other aspects, this launch faithfully implements the spec as currently written. We feel the current implementation already adds substantial value to the web platform as-is.
TAG review statusIssues addressed
Sanitizer API can be readily debugged with existing DevTools. It does not have hidden state (or other "special" integration) that would warrant customized DevTools support.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?YesYes
Requires code in //chrome?False
MeasurementSeveral counters for API calls are defined. (E.g. https://source.chromium.org/search?q=MeasureAs%3DSanitizerAPI%20file:%5C.idl$ )
Anticipated spec changes
The plan of record is to migrate the current WICG spec to HTML proper: * https://github.com/WICG/sanitizer-api/issues/114
Two apparently contentious API choices were removed from this launch, which is what makes this an MVP. By making sure the MVP only contains agreed upon APIs we allow for the future evolution of the API in any direction.
The present spec requires a secure context. This might be dropped in a future version.
The present spec does not support namespaced content (like SVG or MathML). This is likely to be added in a future version.