LGTM2 On Monday, December 15, 2025 at 9:18:01 PM UTC+1 Yoav Weiss wrote:
> On Mon, Dec 15, 2025 at 6:25 PM Chris Harrelson <[email protected]> > wrote: > >> LGTM1 >> >> On Mon, Dec 15, 2025 at 6:40 AM Chromestatus < >> [email protected]> wrote: >> >>> *Contact emails* >>> [email protected] >>> >>> *Explainer* >>> https://github.com/WICG/sanitizer-api/blob/main/explainer.md >> >> > I think it can be useful to add a section to the explainer to outline the > differences and relationship to Trusted Types. > > >> >>> >>> *Specification* >>> https://wicg.github.io/sanitizer-api >>> >>> *Summary* >>> The Sanitizer API offers an easy to use and safe by default HTML >>> Sanitizer API, which developers can use to remove content that may execute >>> script from arbitrary, user-supplied HTML content. The goal is to make it >>> easier to build XSS-free web applications. This follows previous attempts >>> at establishing a Sanitizer API ( >>> https://chromestatus.com/feature/5786893650231296), which we unshipped >>> again (https://chromestatus.com/feature/5115076981293056). The >>> specification has meanwhile progressed and now has widespread support. >>> >>> *Blink component* >>> Blink>SecurityFeature>SanitizerAPI >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESanitizerAPI%22> >>> >>> *Web Feature ID* >>> SanitizerAPI <https://webstatus.dev/features/SanitizerAPI> >>> >>> *Motivation* >>> User input sanitization is a necessary and common activity of many web >>> applications, but it's difficult to get right. As a component of the web >>> platform it's easier to harden the sanitizer implementation and keep it >>> up-to-date. Offering a high-quality sanitizer with good defaults (without >>> blocking developers from using their own, if they choose) would improve >>> security, and make it more accessible. >>> >>> *Initial public proposal* >>> https://wicg.github.io/sanitizer-api/ >>> >>> *TAG review* >>> https://github.com/w3ctag/design-reviews/issues/619 >>> >>> *TAG review status* >>> Issues addressed >>> >>> *Risks* >>> >>> >>> *Interoperability and Compatibility* >>> *No information provided* >>> >>> *Gecko*: Positive ( >>> https://github.com/mozilla/standards-positions/issues/106) Sanitizer >>> API is enabled in Firefox nightly: >>> https://www.firefox.com/en-US/firefox/148.0a1/releasenotes/ >>> >>> *WebKit*: Support ( >>> https://github.com/WebKit/standards-positions/issues/86) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: HTML: stage 2. ( >>> https://github.com/whatwg/html/issues/7197) TAG, early design review: >>> https://github.com/w3ctag/design-reviews/issues/619 >>> >>> *Security* >>> https://wicg.github.io/sanitizer-api/#security-considerations >>> >>> *WebView application risks* >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> *No information provided* >>> >>> >>> *Debuggability* >>> These APIs are readily accessible and testable using DevTools. >>> >>> *Will this feature be supported on all six Blink platforms (Windows, >>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>> Yes >>> >>> *Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>> Yes >>> >>> https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned >>> >>> *Flag name on about://flags* >>> *No information provided* >>> >>> *Finch feature name* >>> SanitizerAPI >>> >>> *Rollout plan* >>> Will ship enabled for all users >>> >>> *Requires code in //chrome?* >>> False >>> >>> *Tracking bug* >>> https://issues.chromium.org/issues/40138584 >>> >>> *Estimated milestones* >>> Shipping on desktop 145 >>> Shipping on Android 145 >>> Shipping on WebView 145 >>> >>> *Anticipated spec changes* >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> We expect to "upstream" the current WICG specification to become part of >>> HTML proper. See: https://github.com/whatwg/html/issues/7197 >>> >>> *Link to entry on the Chrome Platform Status* >>> https://chromestatus.com/feature/5814067399491584?gate=5398359461068800 >>> >>> *Links to previous Intent discussions* >>> Intent to Prototype: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP0LBdNCieNydc6dfObByS2kCg1B2yvd6eZJHGTkW%2Bd-w%40mail.gmail.com >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/85900777-6a46-478b-92b5-9645df8b8c92n%40chromium.org.
