[webkit-dev] Request for Position on Sanitizer API

[Ryosuke Niwa]

On Mon, Mar 15, 2021 at 7:32 AM Daniel Vogelheim via webkit-dev
<webkit-dev at lists.webkit.org> wrote:
>
> I'd like to request a position statement on the proposed Sanitizer API.
>
> The Sanitizer API wants to build an HTML Sanitizer right into the web platform. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform.
>
> Currently available are an explainer and an early spec draft, and early prototype implementations in Chromium & Firefox, behind flags.

I'm gathering more feedback internally at Apple but here's immediate
feedback I can give you: even if this was an useful API for web
developers, we won't use it to sanitize the content from / to the
system pasteboard (a.k.a clipboard on Windows) since we rely on style
& rendering information and apply various transformations such as
inlining all the style rules for that purpose. Secondly, we probably
won't reuse this code for sanitizing contents inside our engine since
using hash maps of element names and attribute names per element to
allow or block markup would be simply too inefficient. Reusing
concepts defined in this specification as a mechanism involved by
other specifications seems okay provided we agree that this API / spec
is an overall good idea based on more broader discussion.

- R. Niwa