Comments (2)
HTML defines the parser APIs so moving this issue there. WICG/sanitizer-api#184 (comment) still seems the most reasonable to me (your option 2) although now we'd have to name these beforeHTMLUnsafe()
, etc. It's quite a few additional methods, but adding methods doesn't have a significant cost. And it's often clearer to have several well-named methods than an overloaded one.
from html.
The legacy HTML fragment parser APIs don't support DSD and don't have Sanitizer API support. They also parse as HTML or XML depending on the "HTML document" bit on the document, and setHTML()
and setHTMLUnsafe()
always parse as HTML. (If we want XML variants in the future, we can add setXMLUnsafe()
etc.) So possible axes are:
- position
- sanitize or not
- HTML/XML
I think option 1 is not a sufficient improvement to be worthwhile, it would still be a clunky API and it might be hard to add Sanitizer API in a consistent way.
Option 3 would make existing methods XSS sinks.
from html.
Related Issues (20)
- syntax for defining blocks of javascript files HOT 1
- createImageBitmap: Apply img and blob colorSpaceConversion to all sources. HOT 1
- createImageBitmap: Clarify treatment of colorSpaceConversion:"none" ImageBitmaps HOT 4
- Add code-lang attribute to code element HOT 1
- Meeting 7 for joint OpenUI-WHATWG/HTML-CSSWG task force on styleable form controls HOT 2
- Interactions between `inert` and `hidden="until-found"` and `beforematch` events
- A way to get mouse coordinates without mouse moving HOT 8
- Iframe `sandbox` compatibility with Service Workers
- Upcoming WHATNOT meeting on 2024-09-05 HOT 1
- Spec is missing that </p> is optional before <dialog> HOT 2
- Support disabling CloseWatcher integration in `<dialog>` HOT 4
- `<datalist>` displaying both label and values for `option` elements is a little confusing HOT 1
- The term "literal" is not defined, particularly as applied to a character HOT 2
- Provide an API in dedicate worker for executing event loop HOT 8
- Adjust Scroll Restoration Behavior for Reloads HOT 14
- Ancestors of `<dfn>` unclear HOT 3
- ElementInternals reportValidity() should focus the validation anchor element
- Upcoming WHATNOT meeting on 2024-09-12 HOT 1
- Request: Add Japanese and Korean Translations Links to the Wiki HOT 3
- Is it ok for `appearance:base` `<select>` not to require user activation before `showPicker()`? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from html.