LGTM3 On Wednesday, December 17, 2025 at 8:24:44 AM UTC-8 Yoav Weiss wrote:
> LGTM2 > > On Monday, December 15, 2025 at 9:18:01 PM UTC+1 Yoav Weiss wrote: > >> On Mon, Dec 15, 2025 at 6:25 PM Chris Harrelson <[email protected]> >> wrote: >> >>> LGTM1 >>> >>> On Mon, Dec 15, 2025 at 6:40 AM Chromestatus < >>> [email protected]> wrote: >>> >>>> *Contact emails* >>>> [email protected] >>>> >>>> *Explainer* >>>> https://github.com/WICG/sanitizer-api/blob/main/explainer.md >>> >>> >> I think it can be useful to add a section to the explainer to outline the >> differences and relationship to Trusted Types. >> >> >>> >>>> >>>> *Specification* >>>> https://wicg.github.io/sanitizer-api >>>> >>>> *Summary* >>>> The Sanitizer API offers an easy to use and safe by default HTML >>>> Sanitizer API, which developers can use to remove content that may execute >>>> script from arbitrary, user-supplied HTML content. The goal is to make it >>>> easier to build XSS-free web applications. This follows previous attempts >>>> at establishing a Sanitizer API ( >>>> https://chromestatus.com/feature/5786893650231296), which we unshipped >>>> again (https://chromestatus.com/feature/5115076981293056). The >>>> specification has meanwhile progressed and now has widespread support. >>>> >>>> *Blink component* >>>> Blink>SecurityFeature>SanitizerAPI >>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESanitizerAPI%22> >>>> >>>> *Web Feature ID* >>>> SanitizerAPI <https://webstatus.dev/features/SanitizerAPI> >>>> >>>> *Motivation* >>>> User input sanitization is a necessary and common activity of many web >>>> applications, but it's difficult to get right. As a component of the web >>>> platform it's easier to harden the sanitizer implementation and keep it >>>> up-to-date. Offering a high-quality sanitizer with good defaults (without >>>> blocking developers from using their own, if they choose) would improve >>>> security, and make it more accessible. >>>> >>>> *Initial public proposal* >>>> https://wicg.github.io/sanitizer-api/ >>>> >>>> *TAG review* >>>> https://github.com/w3ctag/design-reviews/issues/619 >>>> >>>> *TAG review status* >>>> Issues addressed >>>> >>>> *Risks* >>>> >>>> >>>> *Interoperability and Compatibility* >>>> *No information provided* >>>> >>>> *Gecko*: Positive ( >>>> https://github.com/mozilla/standards-positions/issues/106) Sanitizer >>>> API is enabled in Firefox nightly: >>>> https://www.firefox.com/en-US/firefox/148.0a1/releasenotes/ >>>> >>>> *WebKit*: Support ( >>>> https://github.com/WebKit/standards-positions/issues/86) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: HTML: stage 2. ( >>>> https://github.com/whatwg/html/issues/7197) TAG, early design review: >>>> https://github.com/w3ctag/design-reviews/issues/619 >>>> >>>> *Security* >>>> https://wicg.github.io/sanitizer-api/#security-considerations >>>> >>>> *WebView application risks* >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> *No information provided* >>>> >>>> >>>> *Debuggability* >>>> These APIs are readily accessible and testable using DevTools. >>>> >>>> *Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>> Yes >>>> >>>> *Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>> Yes >>>> >>>> https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned >>>> >>>> *Flag name on about://flags* >>>> *No information provided* >>>> >>>> *Finch feature name* >>>> SanitizerAPI >>>> >>>> *Rollout plan* >>>> Will ship enabled for all users >>>> >>>> *Requires code in //chrome?* >>>> False >>>> >>>> *Tracking bug* >>>> https://issues.chromium.org/issues/40138584 >>>> >>>> *Estimated milestones* >>>> Shipping on desktop 145 >>>> Shipping on Android 145 >>>> Shipping on WebView 145 >>>> >>>> *Anticipated spec changes* >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>> of >>>> the API in a non-backward-compatible way). >>>> We expect to "upstream" the current WICG specification to become part >>>> of HTML proper. See: https://github.com/whatwg/html/issues/7197 >>>> >>>> *Link to entry on the Chrome Platform Status* >>>> https://chromestatus.com/feature/5814067399491584?gate=5398359461068800 >>>> >>>> *Links to previous Intent discussions* >>>> Intent to Prototype: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP0LBdNCieNydc6dfObByS2kCg1B2yvd6eZJHGTkW%2Bd-w%40mail.gmail.com >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69401de1.050a0220.2e69e1.0456.GAE%40google.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9SsSs_2OOr5c8Q7--Yef%2BM1V0e0%2BUDOC_zaRgsrJnzBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e7d7c9e2-74dd-491a-8ca6-4b0f38352d0an%40chromium.org.
