This implements the Sanitizer API.
A basic version of the Sanitizer API - chiefly the Element.setHTML
method - is available.
The full Sanitizer API is currently behind a flag:
We are actively looking for feedback on the API. If you find problems or have suggestions for how the API should change, please read the available issues at https://github.com/WICG/sanitizer-api/issues and raise a new issue if your suggestion isn't already covered.
As this is a cross-browser effort, suggestions concerning the API should go to the standardisation group. Issues with Chromium's implementation should go to https://bugs.chromium.org and use the Blink > SecurityFeatures > SanitizerAPI component.
The Sanitizer API is scheduled to be launched in stages. The API availability can be controlled via flags:
--enable-blink-features=SanitizerAPIv0
: This includes the basic Sanitizer API with configuration and the Element.setHTML
method, but not the .sanitizeFor
or .sanitize
methods. This flag is on by default.--enable-blink-features=SanitizerAPI
: This includes SanitizerAPv0
plus the sanitization methods of the Sanitizer
object, as specified as of 04/2022. These APIs are likely to change.The general --enable-experimental-web-platform-features
flag implies the full --enable-blink-features=SanitizerAPI
feature set.
The current implementation matches the specification as of 04/2022 and will be updated as the specification develops. Known omissions relative to the current spec are:
third_party/blink/web_tests/external/wpt/sanitizer-api/
and third_party/blink/web_tests/wpt_internal/sanitizer-api/
.third_party/blink/perf_tests/sanitizer-api/
.third_party/blink/renderer/modules/sanitizer_api/sanitizer_api_fuzzer.h