Upstream sanitizer api#12395
Conversation
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
223a4d1 to
d2034e5
Compare
|
@zcorpan @evilpie @mozfreddyb @otherdaniel |
|
Amazing, thanks for working on this. The built-in safe default configuration is pretty integral to the API, where did I go? For anyone else looking at this, the gist of the changes are in dynamic-markup-insertion.html. |
Oh you're right I had it on my todo list and forgot. Getting to it. Thanks! |
Done. |
|
I thought as part of moving this into the HTML standard we'd also address the parser integration issue? |
This is a huge PR so I thought doing it in two stages, the first one being a purely technical upstream, would be easier to review? Open and happy to incorporate the stream-while-parsing changes in this PR if you and @zcorpan are ok to review that in one go. |
|
I prefer doing the parser integration in a follow-up PR. |
|
I think these three PRs would be good to merge before merging into the HTML standard: |
Since some security sensitive changes rely on "sanitizing while parsing", and that in turn relies on the current post-processing sanitizer being upstreamed, I don't think we should delay upstreaming any further. Can we race it? If any of these go in before the upstream PR is in I'll incorporate them into the HTML PR. |
| data-x="dom-SanitizerProcessingInstruction-target">target</code> member.</p> | ||
| </div> | ||
|
|
||
| <div algorithm> |
There was a problem hiding this comment.
Opened whatwg/infra#709 for now.
I'm not sure about the comparator thing - infra doesn't really say what it means that two items in a list are the same. Would it be enough to mention here whaht makes items of attributes/elements/... lists "equal"
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
ea79a5b to
1e065df
Compare
I've upstreamed them instead into a security consideration subsection |
|
I've refactored some of the sanitization constants to go into each element's definition instead of being in one huge table. I think that makes it less error prone when we add new elements in the future. If that's undesirable I'm happy to revert. |
| data-x="dom-SanitizerProcessingInstruction-target">target</code> member.</p> | ||
| </div> | ||
|
|
||
| <div algorithm> |
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
9df7ee0 to
f7467b9
Compare
5 participants
Convert the incubated spec in https://wicg.github.io/sanitizer-api/ to the HTML format and make it part of the HTML standard.
(See WHATWG Working Mode: Changes for more details.)
/canvas.html ( diff )
/comms.html ( diff )
/dom.html ( diff )
/dynamic-markup-insertion.html ( diff )
/edits.html ( diff )
/embedded-content-other.html ( diff )
/form-elements.html ( diff )
/forms.html ( diff )
/grouping-content.html ( diff )
/iframe-embed-object.html ( diff )
/image-maps.html ( diff )
/imagebitmap-and-animations.html ( diff )
/index.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/interaction.html ( diff )
/interactive-elements.html ( diff )
/microdata.html ( diff )
/parsing.html ( diff )
/references.html ( diff )
/rendering.html ( diff )
/scripting.html ( diff )
/sections.html ( diff )
/semantics.html ( diff )
/system-state.html ( diff )
/tables.html ( diff )
/text-level-semantics.html ( diff )
/timers-and-user-prompts.html ( diff )
/web-messaging.html ( diff )
/webstorage.html ( diff )
/workers.html ( diff )