On Mon, Dec 15, 2025 at 6:25 PM Chris Harrelson <[email protected]> wrote:
> LGTM1 > > On Mon, Dec 15, 2025 at 6:40 AM Chromestatus < > [email protected]> wrote: > >> *Contact emails* >> [email protected] >> >> *Explainer* >> https://github.com/WICG/sanitizer-api/blob/main/explainer.md > > I think it can be useful to add a section to the explainer to outline the differences and relationship to Trusted Types. > >> >> *Specification* >> https://wicg.github.io/sanitizer-api >> >> *Summary* >> The Sanitizer API offers an easy to use and safe by default HTML >> Sanitizer API, which developers can use to remove content that may execute >> script from arbitrary, user-supplied HTML content. The goal is to make it >> easier to build XSS-free web applications. This follows previous attempts >> at establishing a Sanitizer API ( >> https://chromestatus.com/feature/5786893650231296), which we unshipped >> again (https://chromestatus.com/feature/5115076981293056). The >> specification has meanwhile progressed and now has widespread support. >> >> *Blink component* >> Blink>SecurityFeature>SanitizerAPI >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESanitizerAPI%22> >> >> *Web Feature ID* >> SanitizerAPI <https://webstatus.dev/features/SanitizerAPI> >> >> *Motivation* >> User input sanitization is a necessary and common activity of many web >> applications, but it's difficult to get right. As a component of the web >> platform it's easier to harden the sanitizer implementation and keep it >> up-to-date. Offering a high-quality sanitizer with good defaults (without >> blocking developers from using their own, if they choose) would improve >> security, and make it more accessible. >> >> *Initial public proposal* >> https://wicg.github.io/sanitizer-api/ >> >> *TAG review* >> https://github.com/w3ctag/design-reviews/issues/619 >> >> *TAG review status* >> Issues addressed >> >> *Risks* >> >> >> *Interoperability and Compatibility* >> *No information provided* >> >> *Gecko*: Positive ( >> https://github.com/mozilla/standards-positions/issues/106) Sanitizer API >> is enabled in Firefox nightly: >> https://www.firefox.com/en-US/firefox/148.0a1/releasenotes/ >> >> *WebKit*: Support ( >> https://github.com/WebKit/standards-positions/issues/86) >> >> *Web developers*: No signals >> >> *Other signals*: HTML: stage 2. ( >> https://github.com/whatwg/html/issues/7197) TAG, early design review: >> https://github.com/w3ctag/design-reviews/issues/619 >> >> *Security* >> https://wicg.github.io/sanitizer-api/#security-considerations >> >> *WebView application risks* >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> *No information provided* >> >> >> *Debuggability* >> These APIs are readily accessible and testable using DevTools. >> >> *Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?* >> Yes >> >> *Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >> Yes >> >> https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned >> >> *Flag name on about://flags* >> *No information provided* >> >> *Finch feature name* >> SanitizerAPI >> >> *Rollout plan* >> Will ship enabled for all users >> >> *Requires code in //chrome?* >> False >> >> *Tracking bug* >> https://issues.chromium.org/issues/40138584 >> >> *Estimated milestones* >> Shipping on desktop 145 >> Shipping on Android 145 >> Shipping on WebView 145 >> >> *Anticipated spec changes* >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> We expect to "upstream" the current WICG specification to become part of >> HTML proper. See: https://github.com/whatwg/html/issues/7197 >> >> *Link to entry on the Chrome Platform Status* >> https://chromestatus.com/feature/5814067399491584?gate=5398359461068800 >> >> *Links to previous Intent discussions* >> Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP0LBdNCieNydc6dfObByS2kCg1B2yvd6eZJHGTkW%2Bd-w%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BN2yyuoOtBivO2d2Yy-M%3DUay6GnJkfhnSXE44aCZxxXg%40mail.gmail.com.
