The Sanitizer API wants to build an HTML Sanitizer right into the web platform. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform

Motivation

User input sanitization is a necessary and common activity of many web applications, but it's difficult to get right. As a component of the web platform it's easier to harden the sanitizer implementation and keep it up-to-date. Offering a high-quality sanitizer with good defaults (without blocking developers from using their own, if they choose) would improve security, and make it more accessible.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature

In development (tracking bug)

Consensus & Standardization

• Firefox: In development
• Edge: No signal
• Safari: No signal
• Web Developers: No signals

Owners

• vogelheim@chromium.org
• mkwst@chromium.org
• lyf@chromium.org

Last updated on 2021-03-18