The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform

Motivation

User input sanitization is a necessary and common activity of many web applications, but it's difficult to get right. As a component of the web platform it's easier to harden the sanitizer implementation and keep it up-to-date. Offering a high-quality sanitizer with good defaults (without blocking developers from using their own, if they choose) would improve security, and make it more accessible.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature

In development (tracking bug)

Consensus & Standardization

• Firefox: In development
• Edge: No signal
• Safari: No signal
• Web Developers: No signals

Owners

• vogelheim@chromium.org
• mkwst@chromium.org
• lyf@chromium.org

Last updated on 2021-07-16