Intent to ship: Sanitizer API

[Frederik Braun]

As of Firefox 148, we intend to turn on the HTML Sanitizer API.

Summary:

Right now, to sanitize a piece of HTML into something harmless requires a third-party library. 

The HTML Sanitizer API provides functionality that allows inserting potentially malicious HTML into a document while also preventing XSS and a wide range of other attacks, providing configurability if needed.

The main APIs are the Sanitizer constructor, to store configuration and the Element.setHTML() and Document.parseHTML() A functions. The API has already been enabled in Nightly for a few cycles.

Bugs:

• Meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1650370 

Specification:

The specification has been in active development with positive engagement from engineers across all three browser engines involved. 

The spec is tracked as a stage 2 proposal for upstreaming into the WHATWG HTML standard, the current text is in https://wicg.github.io/sanitizer-api/.

Standards Body:

WHATWG & WICG

Platform coverage:

Desktop and Android

Preference:

dom.security.sanitizer.enabled

DevTools bug: N/A. We have built logging for typical errors as part of the implementation.

Link to standards-positions discussion:

https://github.com/mozilla/standards-positions/issues/106 (positive)

Other browsers:

• Blink: Shipping in 145, cf. https://groups.google.com/a/chromium.org/g/blink-dev/c/iu3VwMotMBc/m/2-LB7pDXAQAJ.

• WebKit: Positive position. https://github.com/WebKit/standards-positions/issues/86 

web-platform-tests:

A wide range of tests exist and we pass all but one, aligning us closely with the implementation in Blink

Please let us know if you have any questions or concerns.

Tom Schuster

Frederik Braun