tree: 4bde6d6f8cb7177c470034139ee9531a1e8d47b4 [path history] [tgz]
  1. builtins/
  2. corpus/
  3. BUILD.gn
  4. build_corpus.py
  5. builtins.cc
  6. builtins.h
  7. config_util.cc
  8. config_util.h
  9. DEPS
  10. DIR_METADATA
  11. element_sanitizer.cc
  12. element_sanitizer.h
  13. element_sanitizer.idl
  14. OWNERS
  15. README.md
  16. sanitizer.cc
  17. sanitizer.h
  18. sanitizer.idl
  19. sanitizer_api.dict
  20. sanitizer_api_fuzzer.cc
  21. sanitizer_config.idl
  22. sanitizer_config.proto
  23. sanitizer_config_impl.h
third_party/blink/renderer/modules/sanitizer_api/README.md

Sanitizer API

This implements the Sanitizer API.

Status

A basic version of the Sanitizer API - chiefly the Element.setHTML method - is available.

The full Sanitizer API is currently behind a flag:

We are actively looking for feedback on the API. If you find problems or have suggestions for how the API should change, please read the available issues at https://github.com/WICG/sanitizer-api/issues and raise a new issue if your suggestion isn't already covered.

As this is a cross-browser effort, suggestions concerning the API should go to the standardisation group. Issues with Chromium's implementation should go to https://bugs.chromium.org and use the Blink > SecurityFeatures > SanitizerAPI component.

Staged / Incremental Rollout

The Sanitizer API is scheduled to be launched in stages. The API availability can be controlled via flags:

  • --enable-blink-features=SanitizerAPIv0: This includes the basic Sanitizer API with configuration and the Element.setHTML method, but not the .sanitizeFor or .sanitize methods. This flag is on by default.
  • --enable-blink-features=SanitizerAPI: This includes SanitizerAPv0 plus the sanitization methods of the Sanitizer object, as specified as of 04/2022. These APIs are likely to change.

The general --enable-experimental-web-platform-features flag implies the full --enable-blink-features=SanitizerAPI feature set.

Known Issues

The current implementation matches the specification as of 04/2022 and will be updated as the specification develops. Known omissions relative to the current spec are:

  • Secure context: The current spec draft requires a secure context. This might change. Our implementation presently follows the draft.

Tests

  1. For WPT tests, please refer to third_party/blink/web_tests/external/wpt/sanitizer-api/ and third_party/blink/web_tests/wpt_internal/sanitizer-api/.
  2. For performance tests, please refer to third_party/blink/perf_tests/sanitizer-api/.
  3. For fuzzer tests, please refer to third_party/blink/renderer/modules/sanitizer_api/sanitizer_api_fuzzer.h