https://github.com/mozilla/sanitizer-polyfill
rewrite constructor arguments, call DOMPurify, profit
https://github.com/mozilla/sanitizer-polyfill
polyfill security webapi xss
Last synced: about 1 year ago
JSON representation
rewrite constructor arguments, call DOMPurify, profit
- Host: GitHub
- URL: https://github.com/mozilla/sanitizer-polyfill
- Owner: mozilla
- License: mpl-2.0
- Created: 2021-04-28T13:53:11.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2024-09-24T20:13:15.000Z (almost 2 years ago)
- Last Synced: 2024-10-29T23:50:56.410Z (over 1 year ago)
- Topics: polyfill, security, webapi, xss
- Language: JavaScript
- Homepage: https://mozilla.github.io/sanitizer-polyfill/demo/
- Size: 857 KB
- Stars: 67
- Watchers: 6
- Forks: 8
- Open Issues: 16
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# Polyfill for the [Sanitizer API](https://github.com/WICG/sanitizer-api/) specification.
## Usage
**The Sanitizer API is still under heavy development. We do not recommend
relying on the polyfill for stability and can not fully promise the same
security guarantees as the finished API will.**
## About
The polyfill might provide a shim on top of
[DOMPurify](https://github.com/cure53/DOMPurify/), that mainly rewrites the
specified configuration object into a DOMPurify configuration.
DOMPurify is more interesting than other libraries, as it relies on the
current browser's HTML parsing behavior (it is built on top of the
[NodeIterator](https://developer.mozilla.org/en-US/docs/Web/API/NodeIterator)
interface).
### [Demo](https://mozilla.github.io/sanitizer-polyfill/demo/)
There's a [Demo](https://mozilla.github.io/sanitizer-polyfill/demo/) page that loads all of the polyfill scripts and then does nothing.
By default, the polyfill will bail out if you already have a Sanitizer object defined.
But that can be easily overridden by clicking the **¶**.
It might useful to test `Element.setHTML`