Upstream sanitizer api#12395
Conversation
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
223a4d1 to
d2034e5
Compare
|
@zcorpan @evilpie @mozfreddyb @otherdaniel |
|
Amazing, thanks for working on this. The built-in safe default configuration is pretty integral to the API, where did I go? For anyone else looking at this, the gist of the changes are in dynamic-markup-insertion.html. |
Oh you're right I had it on my todo list and forgot. Getting to it. Thanks! |
Done. |
|
I thought as part of moving this into the HTML standard we'd also address the parser integration issue? |
This is a huge PR so I thought doing it in two stages, the first one being a purely technical upstream, would be easier to review? Open and happy to incorporate the stream-while-parsing changes in this PR if you and @zcorpan are ok to review that in one go. |
|
I prefer doing the parser integration in a follow-up PR. |
|
I think these three PRs would be good to merge before merging into the HTML standard: |
Since some security sensitive changes rely on "sanitizing while parsing", and that in turn relies on the current post-processing sanitizer being upstreamed, I don't think we should delay upstreaming any further. Can we race it? If any of these go in before the upstream PR is in I'll incorporate them into the HTML PR. |
| data-x="dom-SanitizerProcessingInstruction-target">target</code> member.</p> | ||
| </div> | ||
|
|
||
| <div algorithm> |
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
ea79a5b to
1e065df
Compare
I've upstreamed them instead into a security consideration subsection |
| <li><p>Return <var>document</var>.</p></li> | ||
| </ol> | ||
| </div> | ||
|
|
||
| </div> | ||
|
|
||
| <!-- https://github.com/WICG/sanitizer-api/commit/c4e328037ab6cd9c753b12694f5dcfc14988dec5 --> | ||
|
|
||
| <h4>Safe HTML parsing methods</h4> |
There was a problem hiding this comment.
I don't think we should use "Safe". Just "HTML parsing methods" is fine. For the same reason we don't say "safe" in APIs.
There was a problem hiding this comment.
Moved them together with the "unsafe" methods and explained the difference.
| into an element's <code data-x="dom-Element-innerHTML">innerHTML</code> is fraught with risk, as | ||
| it can cause script execution in a number of unexpected ways.</p> | ||
|
|
||
| <p>Libraries like <cite>DOMPurify</cite> attempt to manage this problem by carefully parsing and |
There was a problem hiding this comment.
I think we should trim a bunch of this text. This is a standard, not a justification for the existence of this feature. We also can't assume familiarity with libraries so it's best to just not mention them.
There was a problem hiding this comment.
Trimmed considerably
| </li> | ||
| </ul> | ||
|
|
||
| <h4>Processing model</h4> |
There was a problem hiding this comment.
This section appears to define API. "Processing model" is generally reserved for something more abstract.
| }</p></li> | ||
| </ul> | ||
|
|
||
| <h4 id="sanitizer-security-considerations">Security Considerations</h4> |
There was a problem hiding this comment.
A lot of the headings here don't appear to follow our title case convention.
|
I've refactored some of the sanitization constants to go into each element's definition instead of being in one huge table. I think that makes it less error prone when we add new elements in the future. If that's undesirable I'm happy to revert. |
5 participants
Convert the incubated spec in https://wicg.github.io/sanitizer-api/ to the HTML format and make it part of the HTML standard.
(See WHATWG Working Mode: Changes for more details.)
/canvas.html ( diff )
/comms.html ( diff )
/dom.html ( diff )
/dynamic-markup-insertion.html ( diff )
/edits.html ( diff )
/embedded-content-other.html ( diff )
/form-elements.html ( diff )
/forms.html ( diff )
/grouping-content.html ( diff )
/iframe-embed-object.html ( diff )
/image-maps.html ( diff )
/imagebitmap-and-animations.html ( diff )
/index.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/interaction.html ( diff )
/interactive-elements.html ( diff )
/microdata.html ( diff )
/parsing.html ( diff )
/references.html ( diff )
/rendering.html ( diff )
/sections.html ( diff )
/semantics.html ( diff )
/system-state.html ( diff )
/tables.html ( diff )
/text-level-semantics.html ( diff )
/timers-and-user-prompts.html ( diff )
/web-messaging.html ( diff )
/webstorage.html ( diff )
/workers.html ( diff )