You do not have permission to delete messages in this group
Report message as abuse
Sign in to report message as abuse
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
We would like to expose a sanitizer API that accepts "bad" HTML (string,
DocFragment) and returns a sanitized DocFragment, using a pre-defined
list of allowed elements / attributes. The implementation is using code
that we have had in mozilla-central for a long while: The existing
nsTreeSanitizer is widely used (e.g., when pasting HTML into a document
or in Reader Mode). We believe that exposing this will be useful for
applications that want to protect themselves from XSS while allowing a
subset of HTML.
*web-platform-tests*: WPT will be the primary test suite. However, we'll
keep a small mochitest in central for easier testing while we experiment
with API details and the final WebIDL. This will allow us to test things
independently, before we reach consensus. We expect the mochitests to be
fully replaced before this is exposed by default.
*Secure contexts*: Yes, required.
*Is this feature enabled by default in sandboxed iframes?*
allow. Sandboxed iframes with "allow-script" will be able to make use of
*Security & Privacy Concerns*: This API does not expose information
about the user, their system or session. Some security questions
regarding compatibility have not been fully answered though. See note above.
libraries exist, e.g., DOMPurify. However these implementations face
significant challenges: 1) Walking an attacker-controlled DOM tree is
extremely challenging. The page at
<https://portswigger.net/web-security/dom-based/dom-clobbering> gives an
example of DOM clobbering attacks, in which elements with id="attribute"
can shadow the parent element's "attribute" property. 2) Parsing
ambiguities between security library and browser can lad to security
bugs. We're hoping that an implementation which matches the browser's
parsing behavior will eradicate this issue. In essence: We know
thatframeworks and single-page applications already make use of this
feature, but we hope to provide a better level of security that can
overcome the problems that a JS implementation has to face.
mySanitizer = new Sanitizer(/* some options *);
// returns DocumentFragment [ <p>hello!</p> ]