As of Firefox 148, we intend to turn on the HTML Sanitizer API. Summary:
Right now, to sanitize a piece of HTML into something harmless requires a third-party library. The HTML Sanitizer API provides functionality that allows inserting potentially malicious HTML into a document while also preventing XSS and a wide range of other attacks, providing configurability if needed. The main APIs are the Sanitizer constructor, to store configuration and the Element.setHTML() and Document.parseHTML() A functions. The API has already been enabled in Nightly for a few cycles. Bugs: - Meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1650370 Specification: The specification has been in active development with positive engagement from engineers across all three browser engines involved. The spec is tracked as a stage 2 proposal for upstreaming into the WHATWG HTML standard <https://github.com/whatwg/html/issues/7197>, the current text is in https://wicg.github.io/sanitizer-api/. Standards Body: WHATWG & WICG Platform coverage: Desktop and Android Preference: dom.security.sanitizer.enabled DevTools bug: N/A. We have built logging for typical errors as part of the implementation. Link to standards-positions discussion: https://github.com/mozilla/standards-positions/issues/106 (positive) Other browsers: - Blink: Shipping in 145, cf. https://groups.google.com/a/chromium.org/g/blink-dev/c/iu3VwMotMBc/m/2-LB7pDXAQAJ . - WebKit: Positive position. https://github.com/WebKit/standards-positions/issues/86 web-platform-tests: A wide range of tests exist and we pass all but one, aligning us closely with the implementation in Blink Please let us know if you have any questions or concerns. Tom Schuster Frederik Braun -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAE5OA1X25o0vJv_Tei95GjwtTUPVF%2Bei1GMiZTr2BgVftdtLtw%40mail.gmail.com.
