| title | date | submitter | number | tags | discussion | |||
|---|---|---|---|---|---|---|---|---|
I want to feel safe displaying user-generated HTML |
2020-06-14 01:52:53 UTC |
JJ Behrens |
5ee582f557f49af84b6bb374 |
|
Many web applications allow untrusted users to upload HTML. They often do this using a rich text editor. Then, they show this HTML to other users. Email applications like Gmail are like this. However, displaying user-generated HTML is challenging from a security point of view. Sometimes you can sanitize it on the server. Sometimes you can sanitize it on the client using something like DOMPurify. However, no matter how you do it, it’s a hard problem.
It'd be great if browsers could do this for us since they know how to do it best.