On Mon, Mar 15, 2021 at 7:32 AM Daniel Vogelheim via webkit-dev <webkit-dev@lists.webkit.org> wrote: > > I'd like to request a position statement on the proposed Sanitizer API. > > The Sanitizer API wants to build an HTML Sanitizer right into the web > platform. The goal is to make it easier to build XSS-free web applications. > The intended contributions of the Sanitizer API are: Making a sanitizer more > easily accessible to web developers; be easy to use and safe by default; and > shift part of the maintenance burden to the platform. > > Currently available are an explainer and an early spec draft, and early > prototype implementations in Chromium & Firefox, behind flags.
I'm gathering more feedback internally at Apple but here's immediate feedback I can give you: even if this was an useful API for web developers, we won't use it to sanitize the content from / to the system pasteboard (a.k.a clipboard on Windows) since we rely on style & rendering information and apply various transformations such as inlining all the style rules for that purpose. Secondly, we probably won't reuse this code for sanitizing contents inside our engine since using hash maps of element names and attribute names per element to allow or block markup would be simply too inefficient. Reusing concepts defined in this specification as a mechanism involved by other specifications seems okay provided we agree that this API / spec is an overall good idea based on more broader discussion. - R. Niwa _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
