The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform

Motivation

User input sanitization is a necessary and common activity of many web applications, but it's difficult to get right. As a component of the web platform it's easier to harden the sanitizer implementation and keep it up-to-date. Offering a high-quality sanitizer with good defaults (without blocking developers from using their own, if they choose) would improve security, and make it more accessible.

Specification

Specification link

Status: Unknown standards status - check spec link for status

Status in Chromium

Blink components: Blink>SecurityFeature

Implementation status: In development (tracking bug)

Consensus & Standardization

• Firefox: In development
• Safari: No signal
• Web Developers: No signals

Owners

• vogelheim@chromium.org
• mkwst@chromium.org
• lyf@chromium.org

Last updated on 2021-11-26