{"id":13724427,"url":"https://github.com/WICG/sanitizer-api","last_synced_at":"2025-05-07T18:32:12.391Z","repository":{"id":37424073,"uuid":"49641350","full_name":"WICG/sanitizer-api","owner":"WICG","description":null,"archived":false,"fork":false,"pushed_at":"2024-04-12T15:38:28.000Z","size":557,"stargazers_count":216,"open_issues_count":15,"forks_count":29,"subscribers_count":29,"default_branch":"main","last_synced_at":"2024-04-14T04:27:08.556Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://wicg.github.io/sanitizer-api/","language":"Bikeshed","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WICG.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-questionnaire.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-01-14T10:47:32.000Z","updated_at":"2024-04-15T10:33:16.912Z","dependencies_parsed_at":"2023-11-24T17:27:57.176Z","dependency_job_id":"71d94057-3521-4f2c-a3f8-6cff2c92ba3d","html_url":"https://github.com/WICG/sanitizer-api","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WICG%2Fsanitizer-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WICG%2Fsanitizer-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WICG%2Fsanitizer-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WICG%2Fsanitizer-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WICG","download_url":"https://codeload.github.com/WICG/sanitizer-api/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224636524,"owners_count":17344561,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T01:01:56.989Z","updated_at":"2024-11-14T14:30:53.901Z","avatar_url":"https://github.com/WICG.png","language":"Bikeshed","funding_links":[],"categories":["HTML"],"sub_categories":[],"readme":"# Sanitizer API\n\nThe *Sanitizer API* is a proposed new browser API to bring a safe and\neasy-to-use capability to sanitize HTML into the web platform.\n\nStatus:\n\n* The Sanitizer API is currently being incubated in the\n  [Sanitizer API](https://github.com/WICG/sanitizer-api) [WICG](https://wicg.io/),\n  with the goal of bringing this to the [WHATWG](https://whatwg.org/).\n* The API is not finalized and still subject to change.\n\nHere you can find additional information:\n\n* Implementation Status:\n  * [Mozilla position](https://github.com/mozilla/standards-positions/issues/106),\n    [WebKit position](https://github.com/WebKit/standards-positions/issues/86),\n    [Chrome Status](https://www.chromestatus.com/feature/5786893650231296).\n  * [Can I use 'Sanitizer API'](https://caniuse.com/mdn-api_sanitizer)?\n  * [Web Platform Tests]( https://wpt.fyi/results/sanitizer-api?label=experimental\u0026label=master\u0026aligned)\n    ([test source](https://github.com/web-platform-tests/wpt/tree/master/sanitizer-api)).\n* An early [W3C TAG review](https://github.com/w3ctag/design-reviews/issues/619).\n\n## Explainer\n\nThe API is still being discussed. Please see the [explainer](explainer.md) for\nour current thinking.\n\n## Taking a Step Back: The Problem We're Solving\n\nVarious web applications often need to work with strings of HTML on the client-side. This might take place, for instance, as part of a client-side templating solution or perhaps come to play through the process of rendering user-generated content. The key problem is that it remains difficult to perform these tasks in a safe way. This is specifically the case because the naive approach of joining strings together and stuffing them into an [Element](https://dom.spec.whatwg.org/#element)'s [`innerHTML`](https://w3c.github.io/DOM-Parsing/#widl-Element-innerHTML) is fraught with risks. A very common negative implication concerns the JavaScript execution, which can occur in a number of unexpected ways.\n\nTo address the problem, libraries like [DOMPurify](https://github.com/cure53/DOMPurify) attempt to carefully manage the inputs and alleviate risks. This is usually accomplished through parsing and sanitizing strings before insertion and takes advantage of an allowlist for constructing a DOM and handling its components. This is considerably safer than doing the same on the server-side, yet much untapped potential can still be observed when it comes the client-side sanitization.\n\nAs it stands, every browser has a fairly good idea of when and how it is going to execute code. Capitalizing on this, it is possible to improve the user-space libraries by teaching the browser how to render HTML from an arbitrary string in a safe manner. In other words, we seek to make sure that this happens in a way that is much more likely to be maintained and updated along with the browsers’ ever-changing parser implementations.\n\n### Goals For The Sanitizer API\n\nProvide a **browser-maintained** \"ever-green\", **safe**, and **easy-to-use**\nlibrary for **user input sanitization** as part of the general **web platform**.\n\n* **user input sanitization**: The basic functionality is to take a string,\n  and turn it into strings that are safe to use and will not cause inadvertent\n  execution of JavaScript.\n\n* **browser-maintained**, \"**ever-green**\" / as part of the general\n  **web platform**: The library is shipped with the browser, and will be\n  updated alongside it as bugs or new attack vectors are found.\n\n* **Safe** and **easy-to-use**: The API surface should be small, and the\n  defaults should make sense across a wide range of use cases.\n\n### Secondary Goals\n\n* Cover **existing browser functionality**, especially the [sanitization of\n  clipboard](https://www.w3.org/TR/clipboard-apis/#pasting-html) data.\n\n* **Easy things should be easy.** This requires easy-to-use and safe defaults,\n  and a small API surface for the common case.\n\n* Cover a **reasonably wide range of base requirements**, but be open to more\n  advanced use cases or future enhancements. This probably requires some sort\n  of configuration or options, ideally in a way that both the developer and a\n  security reviewer should be able to reason about them.\n\n* Should be **integratable into other security mechanisms**, both browser\n  built-ins and others.\n\n* Be **poly-fillable**, although the polyfill would presumably have different\n  security and performance properties.\n\n### Non-goals\n\nForce the use of this library, or any other enforcement mechanism. Some\napplications will have sanitization requirements that are not easily met by\na general purpose library. These should continue to be able to use whichever\nlibrary or mechanism they prefer. However, the library should play well with\nother enforcement mechanisms.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWICG%2Fsanitizer-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FWICG%2Fsanitizer-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWICG%2Fsanitizer-api/lists"}