If element does not include HTMLOrSVGElement, then
- return.
If element does not include HTMLOrSVGOrMathMLElement,
+ then return.
If localName is not nonce or
namespace is not null, then return.
Whenever an element including HTMLOrSVGElement
- becomes browsing-context connected, the user agent must execute the following steps
- on the element:
Whenever an element including
+ HTMLOrSVGOrMathMLElement becomes browsing-context connected, the user
+ agent must execute the following steps on the element:
Let CSP list be element's cloning steps for elements that - include
HTMLOrSVGElementgiven node, copy, and - subtree are to set copy's [[CryptographicNonce]] to + includeHTMLOrSVGOrMathMLElementgiven node, copy, + and subtree are to set copy's [[CryptographicNonce]] to node's [[CryptographicNonce]].
Document parseHTMLUnsafe((TrustedHTML or DOMString) html);
+ static Document parseHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
+ static Document parseHTML((TrustedHTML or DOMString) html, optional SetHTMLOptions options = {});
// resource metadata management
[PutForwards=href, LegacyUnforgeable] readonly attribute Location? location;
@@ -12843,7 +12954,7 @@ dictionary TogglePopoverOptions : ShowPopoverOptions
HTMLElement includes GlobalEventHandlers;
HTMLElement includes ElementContentEditable;
-HTMLElement includes HTMLOrSVGElement;
+HTMLElement includes HTMLOrSVGOrMathMLElement;
[Exposed=Window]
interface HTMLUnknownElement : HTMLElement {
@@ -12894,14 +13005,14 @@ interface HTMLUnknownElement : HTMLElement {
a linear transition of the element's prototype chain, from HTMLElement to a subclass,
instead of a lateral one, from HTMLUnknownElement to an unrelated subclass.
- Features shared between HTML and SVG elements use the HTMLOrSVGElement interface
- mixin: SVG
Features shared between HTML, SVG and MathML elements use the
+ HTMLOrSVGOrMathMLElement interface mixin: SVG MATHML
interface mixin HTMLOrSVGElement {
+ interface mixin HTMLOrSVGOrMathMLElement {
[SameObject] readonly attribute DOMStringMap dataset;
- attribute DOMString nonce; // intentionally no [CEReactions]
+ attribute DOMString nonce; // intentionally no [CEReactions]
- [CEReactions, Reflect] attribute boolean autofocus;
+ [CEReactions, Reflect] attribute boolean autofocus;
[CEReactions, ReflectSetter] attribute long tabIndex;
undefined focus(optional FocusOptions options = {});
undefined blur();
@@ -12910,7 +13021,7 @@ interface HTMLUnknownElement : HTMLElement {
- An example of an element that is neither an HTML nor SVG element is one created as
+
An example of an element that is neither an HTML nor SVG nor MathML element is one created as
follows:
const el = document.createElementNS("some namespace", "example");
@@ -13720,7 +13831,7 @@ https://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20HTML%3E%
detailsembediframeimg (if the usemap attribute is present)img (if the usemap or controls attribute is present)input (if the type attribute is not in the Hidden state)labelselect
- The dataset IDL
+
The dataset IDL
attribute provides convenient accessors for all the data-*
attributes on an element. On getting, the dataset IDL attribute
must return a DOMStringMap whose associated element is this element.
@@ -16155,6 +16266,7 @@ interface HTMLTitleElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Navigating URL attributes:
href.
- DOM interface:
-
[Exposed=Window]
@@ -19350,6 +19462,8 @@ interface HTMLBodyElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -19497,6 +19611,8 @@ interface HTMLBodyElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -19659,6 +19775,8 @@ interface HTMLBodyElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -19840,6 +19958,8 @@ interface HTMLBodyElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -19993,6 +20113,8 @@ isn't his only passion. He also enjoys other pleasures.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -20073,6 +20195,8 @@ interface HTMLHeadingElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -20117,6 +20241,8 @@ interface HTMLHeadingElement : HTMLElement {
- Otherwise: for authors; for implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -20212,6 +20338,8 @@ interface HTMLHeadingElement : HTMLElement {
- Otherwise: for authors; for implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -20363,6 +20491,8 @@ interface HTMLHeadingElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -21026,6 +21156,8 @@ interface HTMLHeadingElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -21175,6 +21307,8 @@ and is further discussed below.</div>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -21287,6 +21421,8 @@ of Gralmond's winters.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -21404,6 +21540,9 @@ a friend lost to the
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
cite.
- DOM interface:
-
[Exposed=Window]
@@ -21592,6 +21731,10 @@ be cowed by the possibility.</blockquote>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
reversed, start, type.
- DOM interface:
-
[Exposed=Window]
@@ -21781,6 +21924,8 @@ I first lived there):</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -21899,6 +22044,9 @@ interface HTMLMenuElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
value.
- DOM interface:
-
[Exposed=Window]
@@ -22079,6 +22227,8 @@ interface HTMLLIElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -22363,6 +22513,8 @@ first matching case):</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22411,6 +22563,8 @@ first matching case):</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22456,6 +22610,8 @@ first matching case):</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22647,6 +22803,8 @@ included with Exhibit B.
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22687,6 +22845,8 @@ included with Exhibit B.
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22792,6 +22952,8 @@ included with Exhibit B.
- Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -22914,6 +23076,8 @@ included with Exhibit B.
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -23002,6 +23166,13 @@ interface HTMLDivElement : HTMLElement {
- Otherwise: for authors; for implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
href, hreflang,
+ type.
+ - Navigating URL attributes:
href, hreflang, type.
- DOM interface:
-
[Exposed=Window]
@@ -23185,6 +23356,8 @@ document.querySelector("table").onclick = ({ target }) => {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23278,6 +23451,8 @@ document.querySelector("table").onclick = ({ target }) => {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23373,6 +23548,8 @@ ten meters.</strong></strong> You have been warned.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23465,6 +23642,8 @@ merger with Demo Group.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23504,6 +23683,8 @@ merger with Demo Group.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23627,6 +23808,8 @@ gossip column, maybe!</q>.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLQuoteElement.
@@ -23727,6 +23910,8 @@ resulting from the campaign's mismanagement.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23801,6 +23986,8 @@ and so Hammond ordered the iris to be opened.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -23928,6 +24115,8 @@ this specification: the <abbr>WHATWG</abbr> and the
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -24433,6 +24622,8 @@ this specification: the <abbr>WHATWG</abbr> and the
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -24465,6 +24656,8 @@ this specification: the <abbr>WHATWG</abbr> and the
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -24533,6 +24726,9 @@ this specification: the <abbr>WHATWG</abbr> and the
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
value.
- DOM interface:
-
[Exposed=Window]
@@ -24609,6 +24805,9 @@ interface HTMLDataElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
datetime.
- DOM interface:
-
[Exposed=Window]
@@ -24946,6 +25145,8 @@ interface HTMLTimeElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25011,6 +25212,8 @@ end.</code></pre>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25085,6 +25288,8 @@ looked pleased.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25150,6 +25355,8 @@ Linux demo 2.6.10-grsec+gg3+e+fhs6b+nfs+gr0501+++p3+c4a+gr2b-reslog-v6.189 #1 SM
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25211,6 +25418,8 @@ Linux demo 2.6.10-grsec+gg3+e+fhs6b+nfs+gr0501+++p3+c4a+gr2b-reslog-v6.189 #1 SM
- The
sup element: for authors; for implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Use
HTMLElement.
@@ -25275,6 +25484,8 @@ For example, the 10th point has coordinate
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25337,6 +25548,8 @@ her—</i></p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25427,6 +25640,8 @@ brighter. A <b>rat</b> scurries past the corner wall.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25475,6 +25690,8 @@ brighter. A <b>rat</b> scurries past the corner wall.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25627,6 +25844,8 @@ wormhole connection.</mark></p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25692,6 +25911,8 @@ wormhole connection.</mark></p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -25733,6 +25954,8 @@ wormhole connection.</mark></p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -25783,6 +26006,8 @@ interface HTMLSpanElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -25868,6 +26093,8 @@ Sydney</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -28585,8 +28812,11 @@ document.body.appendChild(wbr);
Let manifest URL be response's URL.
Let client be el's node document's relevant
+ settings object.
Process the manifest given document URL, manifest
- URL, and bodyBytes. MANIFEST
A user agent must not delay the load event for this link type.
A module preload destination is "json", "style", or a style", "text", or a script-like destination.
@@ -30108,6 +30338,9 @@ document.body.appendChild(wbr);
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
cite, datetime.
- DOM interface:
- Uses
HTMLModElement.
@@ -30197,6 +30430,9 @@ document.body.appendChild(wbr);
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
cite, datetime.
- DOM interface:
- Uses
HTMLModElement.
@@ -30797,7 +31033,7 @@ interface HTMLSourceElement : HTMLElement {
- Phrasing content.
- Embedded content.
- Form-associated element.
- - If the element has a
usemap attribute: Interactive content.
+ - If the element has a
usemap or controls attribute: Interactive content.
- Palpable content.
- Contexts in which this element can be used:
- Where embedded content is expected.
@@ -30813,6 +31049,7 @@ interface HTMLSourceElement : HTMLElement {
crossoriginusemapismapcontrolswidthheightreferrerpolicysource elements with the media
attribute specified in a picture element.
+ The controls
+ attribute is a boolean attribute. If present, it indicates that the user agent may
+ expose a user interface to the user. The attribute must not be specified on an element that does
+ not have an alt attribute, or whose alt attribute's value is the empty string.
+
+
+
+ If the controls attribute is present, the user agent
+ may expose controls over the image (e.g., a control for fullscreen viewing). The specific
+ controls provided are implementation-defined, and can be platform-specific or based
+ on the user's preferences.
+
+ If the user agent exposes a user interface by displaying controls over the img
+ element, then the user agent should suppress any user interaction events while the user agent is
+ interacting with this interface.
+
+ Issue #12318 tracks
+ the interaction between image controls and animated images. User agents should not expose
+ animation controls for images before that issue is resolved.
+
+
+
+
+
The img element supports dimension
attributes.
@@ -31246,8 +31509,8 @@ interface HTMLImageElement : HTMLElement {
image.naturalHeight-
-
These attributes return the natural dimensions of the image, or 0 if the dimensions are not
- known.
+ These attributes return the density-corrected natural width and height of the
+ image, or 0 if the image is not available.
image.completeThe IDL attributes The naturalWidth and naturalHeight must return
- the density-corrected natural width and height of the image, in CSS pixels, if the image has density-corrected natural width and
- height and is available, or else 0. CSS
+ for="HTMLImageElement" data-x="dom-img-naturalHeight">naturalHeight getter
+ steps are:
+
+
+ If the image is not available, then return 0.
Return the respective component of the image's density-corrected natural width and
+ height, in CSS pixels. CSS
Since the density-corrected natural width and height of an image
@@ -32448,25 +32716,36 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ... of an img element img:
+ Let density be img's current request's current
+ pixel density.
-
-
Let dim be img's current request's preferred
- density-corrected dimensions.
+ Let dimensions be img's current request's
+ preferred density-corrected dimensions.
The preferred density-corrected dimensions are set in the
prepare an image for presentation algorithm based on meta information in the
image.
- If dim is null, set dim to img's natural
- dimensions.
If dimensions is not null, then set
+ dimensions's width to dimensions's width divided by
+ density, set dimensions's height to dimensions's height
+ divided by density, and return dimensions.
Set dim's width to dim's width divided by img's
- current request's current pixel density.
Let intrinsicWidth, intrinsicHeight, and
+ intrinsicRatio be img's intrinsic
+ width, intrinsic height, and intrinsic aspect ratio, if any, respectively.
Set dim's height to dim's height divided by img's
- current request's current pixel density.
If intrinsicWidth is not absent, then set intrinsicWidth to
+ intrinsicWidth divided by density.
Return dim.
If intrinsicHeight is not absent, then set intrinsicHeight to
+ intrinsicHeight divided by density.
Return the result of applying the default sizing algorithm with
+ intrinsicWidth, intrinsicHeight, and intrinsicRatio, using a
+ default object size of 300 by 150.
@@ -32884,12 +33163,21 @@ was an English <a href="/wiki/Music_hall">music hall</a> singer, ...pending request's current URL, then
return.
- If urlString is the same as the current request's current URL and the current request's state is partially available, then
- abort the image request for the pending request, queue an element
- task on the DOM manipulation task source given the img element
- to restart the animation if restart animation is set, and return.
-
+
If urlString is the same as the current request's current URL and the current request's state is partially available:
+
+
+ Abort the image request for the pending request.
If restart animation is set, then queue an element task on the
+ DOM manipulation task source given the img element to restart
+ the animation.
Return.
+
Abort the image request for the pending request.
- Create a new child navigable for insertedNode.
If insertedNode has a sandbox
attribute, then parse the sandboxing
directive given the attribute's value and insertedNode's
iframe sandboxing flag set.
Create a new child navigable for insertedNode.
Process the iframe attributes for insertedNode, with
initialInsertion set to true.
@@ -35270,10 +35558,20 @@ interface HTMLIFrameElement : HTMLElement {
historyHandling to "replace".
- If element is an iframe, then set element's pending resource-timing start time to
- the current high resolution time given element's
- node document's relevant global object.
-
+
If element is an iframe:
+
+
+ Set element's pending resource-timing start time to
+ the current high resolution time given element's
+ node document's relevant global object.
Set element's pending resource-timing URL to
+ url.
+
Navigate element's content
navigable to url using element's node document, with
@@ -35308,6 +35606,10 @@ interface HTMLIFrameElement : HTMLElement {
not null, then:
+ Assert: element's pending resource-timing URL is not
+ null.
Let global be element's node document's
relevant global object.
Mark resource timing given fallbackTimingInfo, url,
+
Mark resource timing given fallbackTimingInfo,
+ the result of parsing element's pending resource-timing URL,
"iframe", global, the empty string, a new
response body info, and 0.
Set element's pending resource-timing start time
to null.
Set element's pending resource-timing URL
+ to null.
DOMHighResTimeStamp pending resource-timing start time,
initially set to null.
+
+ Each iframe element has an associated null or
+ URL pending resource-timing URL, initially set to
+ null.
@@ -35853,6 +36166,8 @@ interface HTMLIFrameElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Removed.
- DOM interface:
-
[Exposed=Window]
@@ -36135,6 +36450,8 @@ interface HTMLEmbedElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Removed.
- DOM interface:
-
[Exposed=Window]
@@ -40668,12 +40985,7 @@ interface MediaError {
- While the direction of playback is backwards, any corresponding audio must be
- muted. While the element's playbackRate is so low or so high that the user agent
- cannot play audio usefully, the corresponding audio must also be muted. If the element's playbackRate is not 1.0 and If the element's playbackRate is not 1.0 and preservesPitch is true, the user agent must apply pitch
adjustment to preserve the original pitch of the audio. Otherwise, the user agent must speed up
or slow down the audio without any pitch adjustment.
@@ -43307,39 +43619,94 @@ red:89
Initially, the volume should be 1.0, but user agents may remember the last set value across
sessions, on a per-site basis or otherwise, so the volume may start at other values.
+
+ To set the playback volume of a media element
+ element to a number value:
+
+
+ If element's playback volume equals
+ value, then return.
Set element's playback volume to
+ value.
If element is not allowed to play, then run the internal
+ pause steps for element.
Queue a media element task given element to fire an event named volumechange at element.
+
+
The volume
- IDL attribute must return the playback volume of any
- audio portions of the media element. On setting, if the new value is in the range 0.0
- to 1.0 inclusive, the media element's playback
- volume must be set to the new value. If the new value is outside the range 0.0 to 1.0
- inclusive, then, on setting, an "IndexSizeError"
- DOMException must be thrown instead.
+ getter steps are to return this's playback
+ volume.
- A media element can also be muted. If anything is muting the element, then it is muted. (For example, when the
- direction of playback is backwards, the element is muted.)
+
+ The volume setter steps are:
+
+
+ If the given value is not in the range 0.0 to 1.0 inclusive, then throw an
+ "IndexSizeError" DOMException.
Set the playback volume of this to the given value.
+
+
+ A media element is muted if any of the following are true:
+
+
+ Its muted state is true.
Its muted state is "default" and it has a muted content
+ attribute.
The direction of playback is backwards.
Its playbackRate is so low or so high that the
+ user agent cannot play audio usefully.
+
+ Each media element has a muted
+ state, which is either true, false, or "default"; it is initially "default". User agents may set the muted state of a media
+ element to true or false (e.g., remembering the last set value across sessions, on a
+ per-site basis or otherwise).
- The muted IDL
- attribute must return the value to which it was last set. When a media element is
- created, if the element has a muted content attribute
- specified, then the muted IDL attribute should be set to
- true; otherwise, the user agents may set the value to the user's preferred value (e.g. remembering
- the last set value across sessions, on a per-site basis or otherwise). While the muted IDL attribute is set to true, the media element
- must be muted.
+ To set the muted state of a media element element to
+ a boolean value:
+
+
+ If element's muted state
+ equals value, then return.
Set element's muted state to
+ value.
If element is not allowed to play, then run the internal
+ pause steps for element.
Queue a media element task given element to fire an event named volumechange at element.
- Whenever either of the values that would be returned by the volume and muted IDL
- attributes change, the user agent must queue a media element task given the
- media element to fire an event named volumechange at the media element. Then, if
- the media element is not allowed to play, the user agent must run the
- internal pause steps for the media element.
+ The muted
+ getter steps are to return true if this is muted; otherwise false.
+
+
+
+ The muted setter steps are to set the muted
+ state of this to the given value.
A user agent has an associated volume locked (a boolean). Its value is
@@ -43357,8 +43724,7 @@ red:89
If the user agent's volume locked is true, then return the system
volume.
If the element's audio output is muted, then
- return zero.
If the element is muted, then return 0.
Let volume be the playback
volume of the audio portions of the media element, in range 0.0 (silent) to
@@ -43375,20 +43741,18 @@ red:89
The muted
content attribute on media elements is a boolean
- attribute that controls the default state of the audio output of the media
- resource, potentially overriding user preferences.
+ attribute that gives the default value for muting.
- This attribute has no dynamic effect (it only controls the default state of the
- element).
+ This attribute has no further effect once the muted setter has been invoked or the user indicated a
+ preference.
-
This video (an advertisement) autoplays, but to avoid annoying users, it does so without
sound, and allows the user to turn the sound on. The user agent can pause the video if it's
unmuted without a user interaction.
<video src="adverts.cgi?kind=video" controls autoplay loop muted></video>
-
@@ -44229,6 +44593,8 @@ interface HTMLMapElement : HTMLElement {
- Otherwise: for authors; for implementers.
+ - Navigating URL attributes:
href.
- DOM interface:
-
[Exposed=Window]
@@ -44865,6 +45231,8 @@ interface HTMLAreaElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -45076,167 +45444,220 @@ interface HTMLTableElement : HTMLElement {
- In all of the following attribute and method definitions, when an element is to be
- table-created, that means to create an element given the
- table element's node document, the given local name, and the HTML
- namespace.
+ To create a table element given a table element
+ tableElement and a string localName, return the result of creating an element given tableElement's node
+ document, localName, and the HTML namespace.
The caption
- IDL attribute must return, on getting, the first caption element child of the
- table element, if any, or null otherwise. On setting, the first caption
- element child of the table element, if any, must be removed, and the new value, if
- not null, must be inserted as the first node of the table element.
+ getter steps are to return the first caption element child of this, if
+ any; otherwise null.
+
+
+
+ The caption setter steps are:
+
+
+ Remove the first caption element child of this, if any.
If the given value is not null, then insert it as the first node of
+ this.
The createCaption() method must return the first
- caption element child of the table element, if any; otherwise a new
- caption element must be table-created, inserted as the first node of the
- table element, and then returned.
+ data-x="dom-table-createCaption">createCaption() method steps are:
+
+
+ If this has a caption element child, then return the first such
+ element.
Let caption be the result of creating a
+ table element given this and "caption".
Insert caption as the first node of this.
Return caption.
The deleteCaption() method must remove the first
- caption element child of the table element, if any.
+ data-x="dom-table-deleteCaption">deleteCaption() method steps are to remove the
+ first caption element child of this, if any.
- The tHead IDL
- attribute must return, on getting, the first thead element child of the
- table element, if any, or null otherwise. On setting, if the new value is null or a
- thead element, the first thead element child of the table
- element, if any, must be removed, and the new value, if not null, must be inserted immediately
- before the first element in the table element that is neither a caption
- element nor a colgroup element, if any, or at the end of the table if there are no
- such elements. If the new value is neither null nor a thead element, then a
- "HierarchyRequestError" DOMException must be thrown
- instead.
+ The tHead
+ getter steps are to return the first thead element child of this, if
+ any; otherwise null.
+
+
+
+ The tHead setter steps are:
+
+
+ If the given value is neither null nor a thead element, then throw a
+ "HierarchyRequestError" DOMException.
Remove the first thead element child of this, if any.
If the given value is not null, then insert it immediately before the first element child
+ of this that is neither a caption element nor a colgroup
+ element, if any; otherwise insert it at the end of this.
The createTHead() method must return the first
- thead element child of the table element, if any; otherwise a new
- thead element must be table-created and inserted immediately before the
- first element in the table element that is neither a caption element nor
- a colgroup element, if any, or at the end of the table if there are no such elements,
- and then that new element must be returned.
+ data-x="dom-table-createTHead">createTHead() method steps are:
+
+
+ If this has a thead element child, then return the first such
+ element.
Let thead be the result of creating a
+ table element given this and "thead".
Insert thead immediately before the first element child of this
+ that is neither a caption element nor a colgroup element, if any;
+ otherwise insert thead at the end of this.
Return thead.
The deleteTHead() method must remove the first
- thead element child of the table element, if any.
+ data-x="dom-table-deleteTHead">deleteTHead() method steps are to remove the first
+ thead element child of this, if any.
+
+
+
+ The tFoot
+ getter steps are to return the first tfoot element child of this, if
+ any; otherwise null.
- The tFoot IDL
- attribute must return, on getting, the first tfoot element child of the
- table element, if any, or null otherwise. On setting, if the new value is null or a
- tfoot element, the first tfoot element child of the table
- element, if any, must be removed, and the new value, if not null, must be inserted at the end of
- the table. If the new value is neither null nor a tfoot element, then a
- "HierarchyRequestError" DOMException must be thrown
- instead.
+ The tFoot setter steps are:
+
+
+ If the given value is neither null nor a tfoot element, then throw a
+ "HierarchyRequestError" DOMException.
Remove the first tfoot element child of this, if any.
If the given value is not null, then insert it at the end of this.
The createTFoot() method must return the first
- tfoot element child of the table element, if any; otherwise a new
- tfoot element must be table-created and inserted at the end of the
- table, and then that new element must be returned.
+ data-x="dom-table-createTFoot">createTFoot() method steps are:
+
+
+ If this has a tfoot element child, then return the first such
+ element.
Let tfoot be the result of creating a
+ table element given this and "tfoot".
Insert tfoot at the end of this.
Return tfoot.
The deleteTFoot() method must remove the first
- tfoot element child of the table element, if any.
+ data-x="dom-table-deleteTFoot">deleteTFoot() method steps are to remove the first
+ tfoot element child of this, if any.
The tBodies
- attribute must return an HTMLCollection rooted at the table node, whose
- filter matches only tbody elements that are children of the table
- element.
+ getter steps are to return an HTMLCollection rooted at this, whose
+ filter matches only tbody elements that are children of this.
The createTBody() method must table-create a new tbody element, insert it immediately
- after the last tbody element child in the table element, if any, or at
- the end of the table element if the table element has no
- tbody element children, and then must return the new tbody element.
+ data-x="dom-table-createTBody">createTBody() method steps are:
+
+
+ Let tbody be the result of creating a
+ table element given this and "tbody".
Insert tbody immediately after the last tbody element child of
+ this, if any; otherwise insert tbody at the end of
+ this.
Return tbody.
The rows
- attribute must return an HTMLCollection rooted at the table node, whose
- filter matches only tr elements that are either children of the table
- element, or children of thead, tbody, or tfoot elements
- that are themselves children of the table element. The elements in the collection
- must be ordered such that those elements whose parent is a thead are included first,
- in tree order, followed by those elements whose parent is either a table
- or tbody element, again in tree order, followed finally by those
- elements whose parent is a tfoot element, still in tree order.
+ getter steps are to return an HTMLCollection rooted at this, whose
+ filter matches only tr elements that are either children of this, or
+ children of thead, tbody, or tfoot elements that are
+ themselves children of this. The elements in the collection must be ordered such
+ that those elements whose parent is a thead are included first, in tree
+ order, followed by those elements whose parent is either this or a
+ tbody element, again in tree order, followed finally by those elements
+ whose parent is a tfoot element, still in tree order.
- The behavior of the insertRow(index) method depends on the state
- of the table. When it is called, the method must act as required by the first item in the
- following list of conditions that describes the state of the table and the index
- argument:
-
-
+ The insertRow(index) method steps are:
- - If index is less than −1 or greater than the number of elements
- in
rows collection:
+
+ If index is less than −1 or greater than the number of elements in the
+ rows collection, then throw an
+ "IndexSizeError" DOMException.
- The method must throw an "
IndexSizeError"
- DOMException.
+ Let tr be the result of creating a table
+ element given this and "tr".
- If the
rows collection has zero elements in it, and the
- table has no tbody elements in it:
+ -
+
If the rows collection has zero elements in it, and
+ this has no tbody elements in it:
- - The method must table-create a
tbody
- element, then table-create a tr element, then
- append the tr element to the tbody element, then append the
- tbody element to the table element, and finally return the
- tr element.
+
+ Let tbody be the result of creating a
+ table element given this and "tbody".
- If the
rows collection has zero elements in it:
+ Append tr to tbody.
- The method must table-create a
tr element,
- append it to the last tbody element in the table, and return the tr
- element.
+ Append tbody to this.
+
- - If index is −1 or equal to the number of items in
rows collection:
+ Otherwise, if the rows collection has zero elements
+ in it, then append tr to the last tbody element in
+ this.
- The method must table-create a
tr element,
- and append it to the parent of the last tr element in the rows collection. Then, the newly created tr element
- must be returned.
+ Otherwise, if index is −1 or equal to the number of items in the rows collection, then append tr to the parent of the
+ last tr element in the rows
+ collection.
- Otherwise:
+ Otherwise, insert tr immediately before the indexth tr
+ element in the rows collection, in the same
+ parent.
- The method must table-create a
tr element,
- insert it immediately before the indexth tr element in the rows collection, in the same parent, and finally must return the
- newly created tr element.
-
+ Return tr.
When the deleteRow(index) method is called, the user
- agent must run the following steps:
+ The deleteRow(index) method steps are:
If index is less than −1 or greater than or equal to the number of
@@ -45547,6 +45968,8 @@ side in the right column.</p>
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -45644,6 +46067,9 @@ the cell that corresponds to the values of the two dice.
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
span.
- DOM interface:
-
[Exposed=Window]
@@ -45694,6 +46120,9 @@ interface HTMLTableColElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
span.
- DOM interface:
- Uses
HTMLTableColElement, as defined for colgroup elements.
@@ -45734,6 +46163,8 @@ interface HTMLTableColElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -45874,6 +46305,8 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLTableSectionElement, as defined for tbody elements.
@@ -45946,6 +46379,8 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLTableSectionElement, as defined for tbody elements.
@@ -45984,6 +46419,8 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
-
[Exposed=Window]
@@ -46162,6 +46599,10 @@ interface HTMLTableRowElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
colspan, headers, rowspan.
- DOM interface:
-
[Exposed=Window]
@@ -46265,6 +46706,11 @@ interface HTMLTableCellElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default. Attributes:
abbr, colspan, headers, rowspan, scope.
- DOM interface:
- Uses
HTMLTableCellElement, as defined for td elements.
@@ -48218,6 +48664,8 @@ interface HTMLTableCellElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Navigating URL attributes:
action.
- DOM interface:
-
[Exposed=Window,
@@ -56315,7 +56763,7 @@ interface HTMLButtonElement : HTMLElement {
If the result of running check popover validity given
target, false, false, and null is true, then run the
show popover algorithm given target, false, and
- this.
Otherwise, if the result of running check popover validity given
target, true, false, and null is true, then run the
@@ -56332,7 +56780,7 @@ interface HTMLButtonElement : HTMLElement {
If the result of running check popover validity given target,
false, false, and null is true, then run the show popover algorithm given target, false, and
- this.
@@ -57799,15 +58247,15 @@ interface HTMLOptionElement : HTMLElement {
- To get the option element nearest ancestor select given an
- option option, run these steps. They return a select or
- null.
+ To get the nearest ancestor
+ select given an Element element, run these steps. They
+ return a select or null.
Let ancestorOptgroup be null.
-
-
For each ancestor of option's ancestors,
+
For each ancestor of element's ancestors,
in reverse tree order:
@@ -65086,6 +65534,8 @@ interface HTMLDetailsElement : HTMLElement {
data-x="concept-element-accessibility-considerations">Accessibility considerations:
- For authors.
- For implementers.
+ - Safe sanitization:
+ - Included by default.
- DOM interface:
- Uses
HTMLElement.
@@ -68514,6 +68964,7 @@ not-slash = %x0000-002E / %x0030-10FFFF
- Global attributes
shadowrootmodeshadowrootdelegatesfocusshadowrootslotassignmentshadowrootclonableshadowrootserializableshadowrootcustomelementregistryThe shadowrootslotassignment content
+ attribute is an enumerated attribute with the following keywords and states:
+
+
+
+
+ Keyword
+ State
+ Brief description
+
+
+ named
+ Named
+ The declarative shadow root uses named slot assignment.
+
+ manual
+ Manual
+ The declarative shadow root uses manual slot assignment.
+
+
+ The shadowrootslotassignment
+ attribute's invalid value default and missing value default are both the Named state.
+
The shadowrootclonable content attribute is a
boolean attribute.
@@ -68738,6 +69216,14 @@ interface HTMLTemplateElement : HTMLElement {
attribute, limited to only known values.
+
+ The shadowRootSlotAssignment IDL attribute
+ must reflect the shadowrootslotassignment content attribute,
+ limited to only known values.
+
+
The shadowRootCustomElementRegistry IDL
attribute intentionally does not have a boolean type so it can be extended.
@@ -76417,37 +76903,37 @@ interface OffscreenCanvasRenderingContext2D {
255, 127, 0, 255
255, 127, 0, 255
Completely-opaque orange
- 
+ 
rgba(255, 255, 0, 0.5)
127, 127, 0, 127
255, 255, 0, 127
Halfway-opaque yellow
- 
+ 
Unrepresentable
255, 127, 0, 127
Unrepresentable
Additive halfway-opaque orange
- 
+ 
Unrepresentable
255, 127, 0, 0
Unrepresentable
Additive fully-transparent orange
- 
+ 
rgba(255, 127, 0, 0)
0, 0, 0, 0
255, 127, 0, 0
Fully-transparent ("invisible") orange
- 
+ 
rgba(0, 127, 255, 0)
0, 0, 0, 0
255, 127, 0, 0
Fully-transparent ("invisible") turquoise
-
+
@@ -77411,13 +77897,12 @@ document.body.append(parent);
- A collection of lifecycle callbacks
- A map, whose keys are the strings "
connectedCallback", "disconnectedCallback", "adoptedCallback", "connectedMoveCallback", "attributeChangedCallback",
- "formAssociatedCallback", "formDisabledCallback",
- "formResetCallback", and "formStateRestoreCallback". The corresponding values are either a Web IDL Function callback function type value, or null. By default the value
- of each entry is null.
+ data-x="">disconnectedCallback", "connectedMoveCallback", "adoptedCallback", "attributeChangedCallback", "formAssociatedCallback", "formDisabledCallback", "formResetCallback", and "formStateRestoreCallback". The
+ corresponding values are either a Web IDL Function callback
+ function type value, or null. By default the value of each entry is null.
- A construction
stack
@@ -77697,9 +78182,9 @@ dictionary ElementDefinitionOptions {
Let lifecycleCallbacks be the ordered map «[ "connectedCallback" → null, "disconnectedCallback" →
- null, "adoptedCallback" → null, "connectedMoveCallback" → null, "attributeChangedCallback" → null ]».
+ null, "connectedMoveCallback" → null, "adoptedCallback" → null, "attributeChangedCallback" →
+ null ]».
-
For each callbackName of the keys of
@@ -79488,9 +79973,14 @@ contradict people?
- a
textarea element that is disabled
- - an
optgroup element that has a disabled attribute
+ - an
optgroup element that has a disabled attribute or whose nearest ancestor select is disabled
- - an
option element that is disabled
+ - an
option element that is disabled
+ or whose nearest ancestor
+ select is disabled
- a
fieldset element that is a disabled fieldset
@@ -84167,6 +84657,21 @@ END:VCARD
+
+ To set the initial visibility state of Document document to
+ visibilityState:
+
+
+ Set document's visibility state to
+ visibilityState.
Queue a new
+ VisibilityStateEntry whose visibility
+ state is document's visibility state and whose timestamp is 0.
+
+
The VisibilityStateEntry interface
The VisibilityStateEntry interface exposes visibility changes to the document,
@@ -85563,7 +86068,7 @@ dictionary CommandEventInit : EventInit {
- The tabIndex
+
The tabIndex
getter steps are:
@@ -85586,8 +86091,9 @@ dictionary CommandEventInit : EventInit {
Return 0 if this is an a, area,
button, frame, iframe, input,
object, select, textarea, or SVG
- a element, or is a summary element that is a summary for
- its parent details; otherwise −1.
a element, or MathML a element, or is a
+ summary element that is a summary for its parent details;
+ otherwise −1.
@@ -86441,7 +86947,7 @@ dictionary CommandEventInit : EventInit {
- The HTMLOrSVGElement The HTMLOrSVGOrMathMLElement focus(options) method steps are:
@@ -86463,7 +86969,7 @@ dictionary CommandEventInit : EventInit {
- The HTMLOrSVGElement The HTMLOrSVGOrMathMLElement blur() method steps are:
@@ -91567,7 +92073,7 @@ dictionary DragEventInit : MouseEventInit {
-
If the result of running check popover validity given element,
- true, and throwExceptions is false, then run cleanupSteps and
+ true, throwExceptions, and null is false, then run cleanupSteps and
return.
Check popover validity is called again because running
Let navigation be event's relevant global object's
navigation API.
Set navigation's ongoing navigate
+ event to null.
Signal abort on event's abort controller given
reason.
- Set navigation's ongoing navigate
- event to null.
If navigation's ongoing API method tracker is non-null, then
reject the finished promise for apiMethodTracker with
reason.
Set navigable's parent to
parent.
Set the initial visibility state of documentState's document to
+ navigable's traversable navigable's system visibility state.
@@ -108145,25 +108654,31 @@ location.href = '#foo';
struct, where that makes sense. See the comment there.
-->
- - id
+ - id
- null or a navigation ID
- - navigable
+ - navigable
- the navigable experiencing the navigation
- - URL
+ - URL
- a URL
- - target snapshot sandboxing flags
+ - target snapshot sandboxing flags
- the target snapshot params's sandboxing flags present during navigation
- - source snapshot has transient activation
+ - source snapshot has transient activation
- a copy of the source snapshot params's has transient activation boolean present during
activation
- - initiator origin
+ - initiator origin
-
an origin possibly for use in a user-facing prompt to confirm the invocation of
an external software package
@@ -108175,12 +108690,14 @@ location.href = '#foo';
scheme URL.
- - navigation timing type
+ - navigation timing type
- a
NavigationTimingType used for creating the navigation timing entry for the new Document (if one is
created)
- - user involvement
+ - user involvement
- a user navigation involvement used when obtaining a browsing context for the new
Document (if one is created)
@@ -110130,16 +110647,20 @@ location.href = '#foo';
after other parts have finished. It is a struct with:
- - displayed document
+ - displayed document
- A
Document
- - target entry
+ - target entry
- A session history entry
- - navigable
+ - navigable
- A navigable
- - update only
+ - update only
- A boolean
@@ -110293,6 +110814,26 @@ location.href = '#foo';
Set navigable's current session
history entry to targetEntry.
-
+
Queue a global task on the navigation and
+ traversal task source of navigable's active
+ window to run these steps:
+
+
+ Let navigation be navigable's active
+ window's navigation API.
Set navigation's ongoing navigate event to null.
+
+ Set navigation's ongoing API method tracker to null.
+
+ This prevents the navigateerror
+ event and the corresponding signal from firing
+ as a result of a successful cross-document navigation.
+
+
Set the ongoing navigation for navigable to "traversal".
Make active newDocument.
Set the initial visibility state of newDocument to
+ navigable's traversable navigable's system visibility state.
WindowProxy's [[Window]] internal
slot value to window.
- Set document's visibility state to document's
- node navigable's traversable navigable's
- system visibility state.
Queue a new
- VisibilityStateEntry whose visibility
- state is document's visibility state and whose timestamp is zero.
Set window's relevant settings object's execution ready flag.
Document rendering rules, or mutate document until it
represents the content the user agent wants to render.
- Act as if the user agent had stopped parsing
- document.
-
+
Act as if the user agent had stopped parsing
+ document.
+
+ This is done to avoid leaking information to the parent page about whether a
+ navigation has been blocked by CSP, or if the response was a network error. In the
+ case where the container is an iframe element, stopping
+ parsing causes the iframe load event steps to run.
+
Return document.
a Synthetic Module Record, for CSS module
- scripts and JSON module scripts;
a WebAssembly Module Record, for WebAssembly module scripts; or
-
+
+
A module script is a text module script if its record is a Synthetic Module Record, and it
+ was created via the create a text module
+ script algorithm. Text module scripts represent textual data encoded as UTF-8.
+
+
+
-
A module script is a WebAssembly module script if
@@ -117131,11 +117683,11 @@ document.querySelector("button").addEventListener("click", bound);
-
As CSS style sheets and JSON documents do not import dependent modules, and do not
+
As CSS style sheets, JSON documents, and text do not import dependent modules, and do not
throw exceptions on evaluation, the fetch
options and base URL of CSS module scripts and JSON module
- scripts and are always null.
+ module script">CSS module scripts, JSON module
+ scripts, and text module scripts are always null.
The active script is determined by the following algorithm:
@@ -118071,6 +118623,10 @@ document.querySelector("button").addEventListener("click", bound);
Let sourceText be the result of UTF-8
decoding bodyBytes.
If moduleType is "text", then set
+ moduleScript to the result of creating a text module script given
+ sourceText and settingsObject.
If mimeType is a JavaScript MIME type and moduleType
is "javascript-or-wasm", then set moduleScript to the result of
creating a JavaScript module script given sourceText,
@@ -118423,6 +118979,32 @@ document.querySelector("button").addEventListener("click", bound);
To create a text module script, given a
+ string text and an environment settings object settings:
+
+
+ Let script be a new module script that this algorithm will
+ subsequently initialize.
Set script's settings
+ object to settings.
Set script's base URL and
+ fetch options to null.
Set script's parse error and
+ error to rethrow to null.
Let result be CreateTextModule(text).
Set script's record to
+ result.
Return script.
+
+
The module type from module request steps, given a ModuleRequest
Record moduleRequest, are as follows:
@@ -118461,7 +119043,8 @@ document.querySelector("button").addEventListener("click", bound);
If moduleType is not "javascript-or-wasm", "css", or "json", then return false.
json", or "text", then
+ return false.
If moduleType is "css" and the
CSSStyleSheet interface is not exposed in
@@ -118484,6 +119067,9 @@ document.querySelector("button").addEventListener("click", bound);
- If moduleType is "
css", then return "style".
+ - If moduleType is "
text", then return "text".
+
- Return defaultDestination.
@@ -124514,7 +125100,8 @@ document.body.appendChild(frame)
DOM parsing and serialization APIs
partial interface Element {
- [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
+ [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
+ [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {});
DOMString getHTML(optional GetHTMLOptions options = {});
[CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
@@ -124523,12 +125110,21 @@ document.body.appendChild(frame)
};
partial interface ShadowRoot {
- [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
+ [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
+ [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {});
DOMString getHTML(optional GetHTMLOptions options = {});
[CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
};
+enum SanitizerPresets { "default" };
+dictionary SetHTMLOptions {
+ (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default";
+};
+dictionary SetHTMLUnsafeOptions {
+ (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {};
+};
+
dictionary GetHTMLOptions {
boolean serializableShadowRoots = false;
sequence<ShadowRoot> shadowRoots = [];
@@ -124702,49 +125298,90 @@ enum DOMParserSupportedType {
- Unsafe HTML parsing methods
+ HTML parsing methods
- element.setHTMLUnsafe(html)element.setHTMLUnsafe(html, options)-
-
Parses html using the HTML parser, and replaces the children of element
- with the result. element provides context for the HTML parser.
+ Parses html using the HTML parser with options options, and replaces
+ the children of element with the result. element provides context for the
+ HTML parser. If the options dictionary contains a "sanitizer" member, it is used to
+ sanitize the parsed fragment before it is inserted into element.
- shadowRoot.setHTMLUnsafe(html)shadowRoot.setHTMLUnsafe(html, options)-
-
Parses html using the HTML parser, and replaces the children of
- shadowRoot with the result. shadowRoot's host provides context for the HTML parser.
+ Parses html using the HTML parser with options options, and replaces
+ the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. If the
+ options dictionary contains a "sanitizer" member, it is used to
+ sanitize the parsed fragment before it is inserted into shadowRoot.
- doc = Document.parseHTMLUnsafe(html)element.setHTML(html, options)-
-
Parses html using the HTML parser, and returns the resulting
- Document.
+ Parses html using the HTML parser with options options, and replaces
+ the children of element with the result. element provides context for the
+ HTML parser. The parsed fragment is sanitized based on the
+ options's "sanitizer" member, and
+ unsafe content is removed.
+
+
+ shadowRoot.setHTML(html, options)-
+
Parses html using the HTML parser with options options, and replaces
+ the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. The
+ parsed fragment is sanitized based on the options's
+ "sanitizer" member, and unsafe content is removed.
+
+
+ doc = Document.parseHTMLUnsafe(html, options)-
+
Parses html using the HTML parser with options options, and returns the
+ resulting Document.
Note that script elements are not evaluated during parsing, and the resulting
document's encoding will always be
UTF-8. The document's URL will be
- about:blank.
+ about:blank. If the options dictionary contains a "sanitizer" member, it is used to
+ sanitize the resulting DOM.
+
+
+ -
+
Parses html using the HTML parser with options options, and replaces
+ the children of the element or shadow root with the result.
+
+
+ doc = Document.parseHTML(html, options)-
+
Parses html using the HTML parser with options options, and returns a
+ new Document containing the result. The resulting document is sanitized based on the options's "sanitizer" member, and unsafe content is removed.
- These methods perform no sanitization to remove potentially-dangerous elements
- and attributes like script or event handler content attributes.
+ The methods with an Unsafe suffix perform no
+ sanitization to remove potentially-dangerous elements and attributes like script or
+ event handler content attributes.
Element's setHTMLUnsafe(html) method steps
- are:
+ data-x="dom-Element-setHTMLUnsafe">setHTMLUnsafe(html, options)
+ method steps are:
Let compliantHTML be the result of invoking the DOMParserSupportedType {
Let target be this's template contents if
this is a template element; otherwise this.
Unsafely set HTML given target, this, and
- compliantHTML.
Set and filter HTML given target, this,
+ compliantHTML, options, and false.
ShadowRoot's setHTMLUnsafe(html) method steps
- are:
+ data-x="dom-ShadowRoot-setHTMLUnsafe">setHTMLUnsafe(html,
+ options) method steps are:
Let compliantHTML be the result of invoking the DOMParserSupportedType {
object, html, "ShadowRoot setHTMLUnsafe", and "script".
Unsafely set HTML given this, this's shadow host, and compliantHTML.
Set and filter HTML given this, this's shadow host, compliantHTML,
+ options, and false.
- To unsafely set HTML, given an Element or DocumentFragment
- target, an Element contextElement, and a string
- html:
+ Element's setHTML(html, options) method
+ steps are:
- Let newChildren be the result of the HTML fragment parsing
- algorithm given contextElement, html, and true.
Let target be this's template contents if
+ this is a template element; otherwise this.
Let fragment be a new DocumentFragment whose node
- document is contextElement's node document.
Set and filter HTML given target, this,
+ html, options, and true.
+
- For each node in newChildren, append node to fragment.
ShadowRoot's setHTML(html, options) method
+ steps are:
- Replace all with fragment within
- target.
+ Set and filter HTML given this, this's shadow host, html, options,
+ and true.
@@ -124802,7 +125446,8 @@ enum DOMParserSupportedType {
The static parseHTMLUnsafe(html) method steps are:
+ data-x="dom-parseHTMLUnsafe">parseHTMLUnsafe(html, options)
+ method steps are:
Let compliantHTML be the result of invoking the DOMParserSupportedType {
Parse HTML from a string given document and
compliantHTML.
Let sanitizer be the result of calling get a sanitizer instance from
+ options with options and false.
Call sanitize on document with sanitizer and
+ false.
Return document.
+
+
+
+ The static parseHTML(html,
+ options) method steps are:
+
+
+ -
+
Let document be a new Document, whose content type is "text/html".
+
+ Since document does not have a browsing context, scripting
+ is disabled.
+
+
+ Set document's allow declarative shadow roots to
+ true.
Parse HTML from a string given document and
+ html.
Let sanitizer be the result of calling get a sanitizer instance from
+ options with options and true.
Call sanitize on document with sanitizer and
+ true.
Return document.
@@ -124936,19 +125619,23 @@ enum DOMParserSupportedType {
The fragment parsing algorithm steps, given an Element
- context, a string markup, and an optional fragment parser scripting
- mode scriptingMode (default Inert),
- are:
+ context, a string markup, and an optional parser scripting mode
+ scriptingMode (default Inert), are:
- Let algorithm be the HTML fragment parsing algorithm.
Assert: scriptingMode is either Inert or Fragment.
+
+
Let newChildren be null.
If context's node document is an XML
- document, then set algorithm to the XML fragment parsing
- algorithm.
Let newChildren be the result of invoking algorithm given
- context, markup, false, and scriptingMode.
Otherwise, set newChildren to the result of invoking the HTML fragment
+ parsing algorithm given context, markup, false, and
+ scriptingMode.
Let fragment be a new DocumentFragment whose node
document is context's node document.
+ HTML sanitization
+
+ Introduction
+
+
+
+ Web applications often need to process untrusted HTML strings, such as when rendering
+ user-generated content or using client-side templates. Safely inserting these strings into the DOM
+ requires careful sanitization to prevent DOM-based cross-site scripting (XSS) attacks.
+
+ HTML sanitization provides a native mechanism for safely parsing and sanitizing HTML strings.
+ By using the user agent's own HTML parser, they ensure the sanitized output accurately reflects
+ how the browser will render the content, preventing script execution and mitigating advanced
+ attacks such as script
+ gadgets.
+
+ These APIs offer functionality to parse a string containing HTML into a DOM tree, and to filter
+ the resulting tree according to a user-supplied configuration. The methods come in two main
+ flavors: "safe" and "unsafe".
+
+ Safe and unsafe
+
+ The "safe" methods will not generate any markup that executes script. That is, they are
+ intended to be safe from XSS. The "unsafe" methods will parse and filter based on the provided
+ configuration, but do not have the same safety guarantees by default.
+
+ The Sanitizer interface
+
+ [Exposed=Window]
+interface Sanitizer {
+ constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");
+
+ // Query configuration:
+ SanitizerConfig get();
+
+ // Modify a Sanitizer's lists and fields:
+ boolean allowElement(SanitizerElementWithAttributes element);
+ boolean removeElement(SanitizerElement element);
+ boolean replaceElementWithChildren(SanitizerElement element);
+ boolean allowProcessingInstruction(SanitizerPI pi);
+ boolean removeProcessingInstruction(SanitizerPI pi);
+ boolean allowAttribute(SanitizerAttribute attribute);
+ boolean removeAttribute(SanitizerAttribute attribute);
+ boolean setComments(boolean allow);
+ boolean setDataAttributes(boolean allow);
+
+ // Remove markup that executes script.
+ boolean removeUnsafe();
+};
+
+
+ config = sanitizer.get()Returns a copy of the sanitizer's configuration.
sanitizer.allowElement(element)Ensures that the sanitizer configuration allows the specified element.
sanitizer.removeElement(element)Ensures that the sanitizer configuration blocks the specified element.
sanitizer.replaceElementWithChildren(element)Configures the sanitizer to remove the specified element but keep its child
+ nodes.
sanitizer.allowAttribute(attribute)Configures the sanitizer to allow the specified attribute globally.
sanitizer.removeAttribute(attribute)Configures the sanitizer to block the specified attribute globally.
sanitizer.allowProcessingInstruction(pi)Configures the sanitizer to allow the specified processing instruction.
sanitizer.removeProcessingInstruction(pi)Configures the sanitizer to block the specified processing instruction.
sanitizer.setComments(allow)Sets whether the sanitizer preserves comments.
sanitizer.setDataAttributes(allow)Sets whether the sanitizer preserves custom data attributes (e.g., data-*).
sanitizer.removeUnsafe()Modifies the configuration to automatically remove elements and attributes that are
+ considered unsafe.
+
+ A Sanitizer has an associated configuration (a
+ SanitizerConfig).
+
+
+ The new
+ Sanitizer(configuration) constructor steps are:
+
+
+ -
+
If configuration is a SanitizerPresets string, then:
+
+
+ Assert: configuration is "default".
Set configuration to the built-in safe default
+ configuration.
+
+
+ If set a configuration configuration with true and
+ this is false, then throw a TypeError.
+
+
+
+ To set a configuration, given a dictionary configuration,
+ a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer
+ sanitizer:
+
+
+ Canonicalize the configuration configuration with
+ allowCommentsPIsAndDataAttributes.
If configuration is not valid,
+ then return false.
Set sanitizer's configuration to
+ configuration.
Return true.
+
+
+
+ To canonicalize the configuration SanitizerConfig
+ configuration with a boolean allowCommentsPIsAndDataAttributes:
+
+
+ -
+
For each member of configuration
+ that is a list of strings:
+
+
+ Replace each string in member with the result of canonicalizing it.
+
+
+ If neither configuration["elements"] nor configuration["removeElements"] exists, then set configuration["removeElements"] to an empty list.
If neither configuration["attributes"] nor configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to an empty
+ list.
-
+
If neither configuration["processingInstructions"] nor
+ configuration["removeProcessingInstructions"]
+ exists, then:
+
+
+ If allowCommentsPIsAndDataAttributes is true, then set
+ configuration["removeProcessingInstructions"]
+ to an empty list.
Otherwise, set configuration["processingInstructions"] to an empty
+ list.
+
+
+
+ -
+
If configuration["elements"]
+ exists, then:
+
+
+ Let newElements be « ».
For each element of
+ configuration["elements"], append the result of canonicalizing element to newElements.
Set configuration["elements"] to newElements.
+
+
+
+ If configuration["removeElements"] exists, then set configuration["removeElements"] to the result of canonicalizing configuration["removeElements"].
If configuration["attributes"] exists, then set configuration["attributes"] to the result of canonicalizing configuration["attributes"].
If configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to the result of canonicalizing configuration["removeAttributes"].
If configuration["replaceWithChildrenElements"]
+ exists, then set configuration["replaceWithChildrenElements"] to
+ the result of canonicalizing
+ configuration["replaceWithChildrenElements"].
If configuration["processingInstructions"] exists, then set configuration["processingInstructions"] to the result
+ of canonicalizing
+ configuration["processingInstructions"].
If configuration["removeProcessingInstructions"]
+ exists, then set configuration["removeProcessingInstructions"]
+ to the result of canonicalizing
+ configuration["removeProcessingInstructions"].
If configuration["comments"]
+ does not exist, then set it to
+ allowCommentsPIsAndDataAttributes.
If configuration["dataAttributes"] does not exist, then set it to allowCommentsPIsAndDataAttributes.
+
+
+
+ To canonicalize a sanitizer list list:
+
+
+ Let newList be « ».
For each item in list, append the result of canonicalizing item to newList.
Return newList.
+
+
+
+ To canonicalize a processing instruction list list:
+
+
+ Let newList be « ».
For each item in list, append the result of canonicalizing item to newList.
Return newList.
+
+
+
+ To canonicalize a processing instruction given a SanitizerPI
+ pi:
+
+
+ If pi is a DOMString, then return «[ "target" → pi ]».
Assert: pi is a dictionary and pi["target"] exists.
Return «[ "target" →
+ pi["target"]
+ ]».
+
+
+
+ To canonicalize a sanitizer name given a DOMString or dictionary name, and a default namespace
+ defaultNamespace (default null):
+
+
+ If name is a DOMString, then return «[
+ "name" → name, "namespace" → defaultNamespace ]».
Assert: name is a dictionary and both name["name"] and
+ name["namespace"] exist.
If name["namespace"] is the empty string, then set it to null.
Return «[ "name" → name["name"], "namespace" → name["namespace"]
+ ]».
+
+
+
+ To find the canonicalized intersection
+ of lists A and B:
+
+
+ Let setA be « ».
+
+ Let setB be « ».
+
+ For each entry of A, append the result of canonicalizing entry to setA.
For each entry of B, append the result of canonicalizing entry to setB.
Return the intersection of setA and
+ setB.
+
+
+
+ The get() method
+ steps are:
+
+ Outside of the get() method, the order of
+ the Sanitizer's elements and attributes is unobservable. By explicitly sorting the
+ result of this method, we give implementations the opportunity to optimize by, for example, using
+ unordered sets internally.
+
+
+ Let config be this's configuration.
Assert: config is valid.
If config["elements"] exists, then:
+
+
+ -
+
For any element of
+ config["elements"]:
+
+
+ If element["attributes"] exists, then set element["attributes"] to the
+ result of sort in ascending order element["attributes"], with
+ compare sanitizer items.
If element["removeAttributes"]
+ exists, then set element["removeAttributes"]
+ to the result of sort in ascending order
+ element["removeAttributes"],
+ with compare sanitizer items.
+
+
+ Set config["elements"] to
+ the result of sort in ascending order config["elements"], with compare sanitizer
+ items.
+ -
+
Otherwise:
+
+
+ Set config["removeElements"] to the result of sort in ascending order config["removeElements"], with compare
+ sanitizer items.
+
+
+ If config["replaceWithChildrenElements"]
+ exists, then set config["replaceWithChildrenElements"] to
+ the result of sort in ascending order config["replaceWithChildrenElements"],
+ with compare sanitizer items.
If config["processingInstructions"] exists, then set config["processingInstructions"] to the result
+ of sort in ascending order config["processingInstructions"], with
+ piA["target"] being
+ code unit less than piB["target"].
-
+
Otherwise:
+
+
+ Set config["removeProcessingInstructions"]
+ to the result of sorting config["removeProcessingInstructions"],
+ with piA["target"]
+ being code unit less than piB["target"].
+
+
+ If config["attributes"]
+ exists, then set config["attributes"] to the result of sorting config["attributes"] given compare sanitizer
+ items.
-
+
Otherwise:
+
+
+ Set config["removeAttributes"] to the result of sorting config["removeAttributes"] given compare
+ sanitizer items.
+
+
+ Return config.
+
+
+
+ The allowElement(element) method steps
+ are:
+
+
+ Let configuration be this's configuration.
Assert: configuration is valid.
Set element to the result of canonicalizing element.
If configuration["elements"]
+ exists, then:
+
+
+ Let modified be the result of removing
+ element from configuration["replaceWithChildrenElements"].
-
+
If configuration["attributes"] exists, then:
+
+
+ -
+
If element["attributes"] exists, then:
+
+
+ Set element["attributes"] to the
+ a new removing duplicates from element["attributes"].
Set element["attributes"] to the
+ difference of element["attributes"] and
+ configuration["attributes"].
If configuration["dataAttributes"] is true, then remove all items item from element["attributes"] where
+ item is a custom data attribute.
+
+
+ -
+
If element["removeAttributes"]
+ exists, then:
+
+
+ Set element["removeAttributes"]
+ to the result of removing duplicates from
+ element["removeAttributes"].
Set element["removeAttributes"]
+ to the intersection of
+ element["removeAttributes"]
+ and configuration["attributes"].
+
+
+
+
+ -
+
Otherwise:
+
+
+ If element["attributes"] exists, then:
+
+
+ Set element["attributes"] to the
+ result of removing duplicates from
+ element["attributes"].
Set element["attributes"] to the
+ difference of element["attributes"] and
+ element["removeAttributes"]
+ (or an empty list if it does not exist).
Remove element["removeAttributes"].
Set element["attributes"] to the
+ difference of element["attributes"] and
+ configuration["removeAttributes"].
+ -
+
If element["removeAttributes"]
+ exists, then:
+
+
+ Set element["removeAttributes"]
+ to the result of removing duplicates from
+ element["removeAttributes"].
Set element["removeAttributes"]
+ to the difference of element["removeAttributes"]
+ and configuration["removeAttributes"].
+
+
+
+
+ -
+
If configuration["elements"] does not contain element, then:
+
+
+ Append element to
+ configuration["elements"].
Return true.
+
+
+ Let current element be the item in configuration["elements"] whose name member is element's name member and whose namespace member is
+ element's namespace
+ member.
If element is equal to current element, then return
+ modified.
Remove element from
+ configuration["elements"].
Append element to
+ configuration["elements"].
Return true.
+ -
+
Otherwise:
+
+
+ If element["attributes"] exists or element["removeAttributes"]
+ (or an empty list if it does not exist) is not empty, then return false.
Let modified be the result of removing
+ element from configuration["replaceWithChildrenElements"].
If configuration["removeElements"] does not contain element, then return modified.
Remove element from
+ configuration["removeElements"].
Return true.
+
+
+
+
+
+ The removeElement(element) method steps
+ are to return the result of removing
+ element from this's configuration.
+
+
+
+ The replaceElementWithChildren(element)
+ method steps are:
+
+
+ Let configuration be this's configuration.
Assert: configuration is valid.
Set element to the result of canonicalizing element.
If the built-in non-replaceable elements list contains element, then return false.
Let modified be the result of removing
+ element from configuration["elements"].
If removing element from
+ configuration["removeElements"] is true, then set
+ modified to true.
If configuration["replaceWithChildrenElements"]
+ does not contains element, then:
+
+
+ Append element to
+ configuration["replaceWithChildrenElements"].
Return true.
+ Return modified.
+
+
+
+ The allowAttribute(attribute) method
+ steps are:
+
+
+ Let configuration be this's configuration.
Assert: configuration is valid.
Set attribute to the result of canonicalizing with attribute.
-
+
If configuration["attributes"] exists, then:
+
+
+ If configuration["dataAttributes"] is true and
+ attribute is a custom data attribute, then return false.
If configuration["attributes"] contains attribute, then return false.
-
+
If configuration["elements"] exists, then:
+
+
+ -
+
For each element in
+ configuration["elements"]:
+
+
+ If element["attributes"] (or an
+ empty list if it does not exist) contains
+ attribute, then remove attribute
+ from element["attributes"].
+
+
+
+
+ Append attribute to
+ configuration["attributes"].
Return true.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeAttributes"] does not contain attribute, then return false.
Remove attribute from
+ configuration["removeAttributes"].
Return true.
+
+
+
+
+
+ The removeAttribute(attribute) method
+ steps are to return the result of remove
+ an attribute with attribute and this's
+ configuration.
+
+
+
+ The setComments(allow) method steps
+ are:
+
+
+ Let configuration be this's configuration.
Assert: configuration is valid.
If configuration["comments"]
+ exists and is equal to allow, then return
+ false.
Set configuration["comments"] to allow.
Return true.
+
+
+
+ The setDataAttributes(allow) method
+ steps are:
+
+
+ Let configuration be this's configuration.
Assert: configuration is valid.
If configuration["dataAttributes"] exists and is equal to allow, then return false.
-
+
If allow is false and configuration["attributes"] exists, then:
+
+
+ -
+
For each element in
+ configuration["elements"] (or an
+ empty list if it does not exist):
+
+
+ Remove all items item from
+ element["attributes"] (or an
+ empty list if it does not exist) where item is a custom data
+ attribute.
+
+
+ Remove all items item from
+ configuration["attributes"]
+ where item is a custom data attribute.
+
+
+ Set configuration["dataAttributes"] to allow.
Return true.
+
+
+
+ The allowProcessingInstruction(pi)
+ method steps are:
+
+
+ Let configuration be this's configuration.
Set pi to the result of canonicalizing pi.
-
+
If configuration["processingInstructions"] exists, then:
+
+
+ If configuration["processingInstructions"] contains pi, then return false.
Append pi to
+ configuration["processingInstructions"].
Return true.
+
+
+ -
+
Otherwise:
+
+
+ -
+
If configuration["removeProcessingInstructions"]
+ contains pi, then:
+
+
+ Remove pi from
+ configuration["removeProcessingInstructions"].
Return true.
+
+
+ Return false.
+
+
+
+
+
+ The removeProcessingInstruction(pi)
+ method steps are:
+
+
+ Let configuration be this's configuration.
Set pi to the result of canonicalizing pi.
-
+
If configuration["processingInstructions"] exists, then:
+
+
+ -
+
If configuration["processingInstructions"] contains pi, then:
+
+
+ Remove pi from
+ configuration["processingInstructions"].
Return true.
+
+
+ Return false.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeProcessingInstructions"]
+ contains pi, then return false.
Append pi to
+ configuration["removeProcessingInstructions"].
Return true.
+
+
+
+
+
+ The removeUnsafe() method steps are to update
+ this's configuration with the result of remove unsafe from
+ this's configuration.
+
+
+ Sanitizer configuration
+
+ dictionary SanitizerElementNamespace {
+ required DOMString name;
+ DOMString? _namespace = "http://www.w3.org/1999/xhtml";
+};
+
+// Used by "elements"
+dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
+ sequence<SanitizerAttribute> attributes;
+ sequence<SanitizerAttribute> removeAttributes;
+};
+
+dictionary SanitizerAttributeNamespace {
+ required DOMString name;
+ DOMString? _namespace = null;
+};
+
+dictionary SanitizerProcessingInstruction {
+ required DOMString target;
+};
+
+typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
+typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
+typedef (DOMString or SanitizerProcessingInstruction) SanitizerPI;
+typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;
+
+dictionary SanitizerConfig {
+ sequence<SanitizerElementWithAttributes> elements;
+ sequence<SanitizerElement> removeElements;
+ sequence<SanitizerElement> replaceWithChildrenElements;
+
+ sequence<SanitizerProcessingInstruction> processingInstructions;
+ sequence<SanitizerProcessingInstruction> removeProcessingInstructions;
+
+ sequence<SanitizerAttribute> attributes;
+ sequence<SanitizerAttribute> removeAttributes;
+
+ boolean comments;
+ boolean dataAttributes;
+};
+
+ SanitizerElementNamespace, SanitizerAttributeNamespace,
+ SanitizerAttribute, and SanitizerProcessingInstruction dictionaries are
+ considered equal when all of their members are equal.
+
+ Equality should be defined in the infra spec instead. See issue #664.
+
+ Configuration invariants
+
+
+
+ Configurations can and ought to be modified by developers to suit their purposes. Options are
+ to write a new SanitizerConfig dictionary from scratch, to modify an existing
+ Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's
+ configuration as a dictionary and modify the dictionary and then create a new
+ Sanitizer with it.
+
+ An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "default" contains a built-in safe default
+ configuration. Note that "safe" and "unsafe" sanitizer methods have different defaults.
+
+ Not all configuration dictionaries are valid. A valid configuration avoids redundancy (like
+ specifying the same element to be allowed twice) and contradictions (like specifying an element to
+ be both removed and allowed.)
+
+ Several conditions need to hold for a configuration to be valid:
+
+
+ -
+
Mixing global allow- and remove-lists:
+
+
+ elements or removeElements can exist, but not both. If
+ both are missing, this is equivalent to removeElements being an empty list.
attributes or removeAttributes can exist, but not both.
+ If both are missing, this is equivalent to removeAttributes being an empty
+ list.
dataAttributes is conceptually
+ an extension of the attributes allow-list.
+ The dataAttributes member is only
+ allowed when an attributes list is
+ used.
+
+
+ -
+
Duplicate entries between different global lists:
+
+
+ There are no duplicate entries (i.e., no same elements) between elements, removeElements, or replaceWithChildrenElements.
There are no duplicate entries (i.e., no same attributes) between attributes or removeAttributes.
+
+
+ -
+
Mixing local allow- and remove-lists on the same element:
+
+
+ When an attributes list exists,
+ both, either or none of the attributes and removeAttributes
+ lists are allowed on the same element.
When a removeAttributes list
+ exists, either or none of the attributes and removeAttributes
+ lists are allowed on the same element, but not both.
+
+
+ -
+
Duplicate entries on the same element:
+
+
+ There are no duplicate entries between attributes and removeAttributes
+ on the same element.
+
+
+ No element from the built-in non-replaceable elements list appears in replaceWithChildrenElements,
+ since replacing these elements with their children could lead to re-parsing issues or invalid
+ node trees.
+
+ The elements element allow-list can also
+ specify allowing or removing attributes for a given element. This is meant to mirror this
+ standard's structure, which knows both global attributes as well as local attributes
+ that apply to a specific element. Global and local attributes can be mixed, but note that
+ ambiguous configurations where a particular attribute would be allowed by one list and forbidden
+ by another, are generally invalid.
+
+
+
+
+ global attributes
+ global removeAttributes
+
+
+
+
+ local attributes
+ An attribute is allowed if it matches either list. No duplicates are allowed.
+ An attribute is only allowed if it's in the local allow list. No duplicate entries between
+ global remove and local allow lists are allowed. Note that the global remove list has no
+ function for this particular element, but can apply to other elements that do not have a
+ local allow list.
+
+
+ local removeAttributes
+ An attribute is allowed if it's in the global allow-list, but not in the local remove-list.
+ Local remove has to be a subset of the global allow lists.
+ An attribute is allowed if it is in neither list. No duplicate entries between global
+ remove and local remove lists are allowed.
+
+
+
+
+ Please note the asymmetry where mostly no duplicates between global and per-element lists are
+ permitted, but in the case of a global allow-list and a per-element remove-list the latter has to
+ be a subset of the former. An excerpt of the table above, only focusing on duplicates, is as
+ follows:
+
+
+
+
+ global attributes
+ global removeAttributes
+
+
+
+
+ local attributes
+ No duplicates are allowed.
+ No duplicates are allowed.
+
+
+ local removeAttributes
+ Local remove has to be a subset of the global allow lists.
+ No duplicates are allowed.
+
+
+
+
+ The dataAttributes setting allows
+ custom data attributes. The rules above easily extends
+ to custom data attributes if one considers dataAttributes to be an allow-list:
+
+
+
+
+ global attributes and dataAttributes set
+
+
+
+
+ local attributes
+ All custom data attributes are allowed. No
+ custom data attributes can be listed in any
+ allow-list, as that would mean a duplicate entry.
+
+
+ local removeAttributes
+ A custom data attribute is allowed, unless it's
+ listed in the local remove-list. No custom data
+ attribute can be listed in the global allow-list, as that would mean a duplicate
+ entry.
+
+
+
+
+ Putting these rules in words:
+
+
+ -
+
Duplicates and interactions between global and local lists:
+
+
+ -
+
If a global attributes allow list
+ exists, then all element's local lists:
+
+
+ If a local attributes allow list
+ exists, there can be no duplicate entries between these lists.
If a local removeAttributes
+ remove list exists, then all its entries also need to be listed in the global attributes allow list.
If dataAttributes is true,
+ then no custom data attributes can be listed in
+ any of the allow-lists.
+
+
+ -
+
If a global removeAttributes
+ remove list exists, then:
+
+
+ If a local attributes allow list
+ exists, there can be no duplicate entries between these lists.
If a local removeAttributes
+ remove list exists, there can be no duplicate entries between these lists.
Not both a local attributes allow list
+ and local removeAttributes
+ remove list exists.
dataAttributes has to be
+ false.
+
+
+
+
+
+
+
+ Sanitization algorithms
+
+
+ To set and filter HTML, given an Element or
+ DocumentFragment target, an Element
+ contextElement, a string html, a dictionary options,
+ and a boolean safe:
+
+
+ -
+
If all of the following are true:
+
+
+ safe is true;
contextElement's local name
+ is "script"; and
contextElement's namespace is
+ the HTML namespace or the SVG namespace,
+
+ then return.
+
+
+ Let sanitizer be the result of calling getting a sanitizer from options given safe.
Let newChildren be the result of parsing a fragment given contextElement, html, and
+ true.
Let fragment be a new DocumentFragment whose node
+ document is contextElement's node document.
For each node in newChildren,
+ append node to fragment.
Sanitize fragment given sanitizer and
+ safe.
Replace all with fragment within
+ target.
+
+
+
+ To get a sanitizer instance from options from a dictionary options with a
+ boolean safe:
+
+
+ Let sanitizerSpec be "default".
If options["sanitizer"]
+ exists, then set sanitizerSpec to
+ options["sanitizer"].
Assert: sanitizerSpec is either a Sanitizer instance,
+ a SanitizerPresets member, or a SanitizerConfig dictionary.
-
+
If sanitizerSpec is a string, then:
+
+
+ Assert: sanitizerSpec is "default".
Set sanitizerSpec to the built-in safe default
+ configuration.
+
+
+ -
+
If sanitizerSpec is a dictionary, then:
+
+
+ Let sanitizer be a new Sanitizer object.
Let inverseSafe be true if safe is false; false
+ otherwise.
If the result of running set a configuration given
+ sanitizerSpec, inverseSafe, and sanitizer is false, then throw
+ a TypeError.
Set sanitizerSpec to sanitizer.
+
+
+ Return sanitizerSpec.
+
+
+
+ To sanitize a node node with a Sanitizer
+ sanitizer and a boolean safe:
+
+
+ Let configuration be sanitizer's
+ configuration.
Assert: configuration is valid.
If safe is true, then set configuration to the result of calling
+ remove unsafe on configuration.
Sanitize node given
+ configuration and safe.
+
+
+
+ To perform the inner sanitize steps on a Node node, given a
+ SanitizerConfig configuration, and a boolean
+ handleJavascriptNavigationUrls:
+
+
+ -
+
For each child of node's children:
+
+
+ Assert: child is a Text, Comment,
+ Element, ProcessingInstruction, or DocumentType
+ node.
If child is a DocumentType node, then
+ continue.
If child is a Text node, then continue.
-
+
If child is a Comment node, then:
+
+
+ If configuration["comments"] is not true, then remove child.
+
+
+ -
+
If child is a ProcessingInstruction node, then:
+
+
+ Let piTarget be child's target.
-
+
If configuration["processingInstructions"] exists, then:
+
+
+ If configuration["processingInstructions"] does
+ not contain piTarget, then remove child.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeProcessingInstructions"]
+ contains piTarget, then remove child.
+
+
+
+
+ -
+
Otherwise:
+
+
+ Let elementName be a SanitizerElementNamespace with
+ child's local name and namespace.
If configuration["replaceWithChildrenElements"]
+ exists and configuration["replaceWithChildrenElements"]
+ contains elementName, then:
+
+
+ Assert: node is not a Document.
Sanitize child given
+ configuration and handleJavascriptNavigationUrls.
Let fragment be a new DocumentFragment whose node
+ document is node's node document.
For each innerChild of
+ child's children, append innerChild to
+ fragment.
Replace child with
+ fragment within node. Assert that this did not
+ throw.
Continue.
+ -
+
If configuration["elements"] exists, then:
+
+
+ If configuration["elements"] does not contain elementName, then remove child and continue.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeElements"] contains elementName, then remove child and continue.
+
+
+ If elementName is a template element in the HTML
+ namespace, then sanitize child's
+ template contents given configuration and
+ handleJavascriptNavigationUrls.
If child is a shadow host, then sanitize child's shadow root given
+ configuration and handleJavascriptNavigationUrls.
Let elementWithLocalAttributes be null.
If configuration["elements"] exists and configuration["elements"] contains elementName, then set
+ elementWithLocalAttributes to configuration["elements"][elementName].
-
+
For each attribute in child's
+ attribute list:
+
+
+ Let attrName be a SanitizerAttributeNamespace with
+ attribute's local name and
+ namespace.
If elementWithLocalAttributes["removeAttributes"]
+ exists and elementWithLocalAttributes["removeAttributes"]
+ contains attrName, then remove an attribute
+ attribute.
-
+
Otherwise, if configuration["attributes"] exists, then:
+
+
+ If configuration["attributes"] does not contain attrName and
+ elementWithLocalAttributes["attributes"] does
+ not contain attrName, and if "data-" is not a prefix of attribute's local name or attribute's namespace is not null or
+ configuration["dataAttributes"] is not true, then
+ remove an attribute
+ attribute.
+
+
+ -
+
Otherwise:
+
+
+ If elementWithLocalAttributes["attributes"] exists and elementWithLocalAttributes["attributes"] does
+ not contain attrName, then remove attribute
+ from configuration.
Otherwise, if configuration["removeAttributes"] contains attrName, then remove attribute from
+ configuration.
+
+
+ -
+
If handleJavascriptNavigationUrls is true, then:
+
+
+ If the pair (elementName, attrName) matches an entry in the
+ built-in navigating URL attributes list, and if attribute
+ contains a javascript: URL, then remove an attribute
+ attribute.
If child's namespace is
+ the MathML Namespace, attribute's local name is "href",
+ and attribute's namespace is
+ null or the XLink namespace, and attribute contains a
+ javascript: URL, then remove an attribute attribute.
If the built-in animating URL attributes list contains the pair (elementName, attrName), and
+ attribute's value is "href" or "xlink:href", then remove attribute from
+ configuration.
+
+
+
+
+ Sanitize child given
+ configuration and handleJavascriptNavigationUrls.
+
+
+
+
+
+
+
+ To determine whether an attribute attribute contains a javascript:
+ URL:
+
+
+ Let url be the result of running the basic URL parser on
+ attribute's value.
If url is failure, then return false.
Return true if url's scheme is "javascript", and false otherwise.
+
+
+
+ To remove an element
+ element from a SanitizerConfig configuration:
+
+
+ Assert: configuration is valid.
Set element to the result of canonicalizing element.
Let modified be the result of removing
+ element from configuration["replaceWithChildrenElements"].
-
+
If configuration["elements"]
+ exists, then:
+
+
+ -
+
If configuration["elements"] contains element, then:
+
+
+ Remove element from
+ configuration["elements"].
Return true.
+
+
+ Return modified.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeElements"] contains element, then return modified.
Add element to
+ configuration["removeElements"].
Return true.
+
+
+
+
+
+ To remove an attribute
+ attribute from a SanitizerConfig configuration:
+
+
+ Assert: configuration is valid.
Set attribute to the result of canonicalizing with attribute.
-
+
If configuration["attributes"] exists, then:
+
+
+ Let modified be the result of removing
+ attribute from configuration["attributes"].
-
+
If configuration["elements"] exists, then:
+
+
+ -
+
For each element of
+ configuration["elements"]:
+
+
+ -
+
If element["attributes"] (or an
+ empty list if it does not exist) contains
+ attribute, then:
+
+
+ Set modified to true.
Remove attribute from
+ element["attributes"].
+
+
+ -
+
If element["removeAttributes"]
+ (or an empty list if it does not exist) contains
+ attribute, then:
+
+
+ Assert: modified is true.
Remove attribute from
+ element["removeAttributes"].
+
+
+
+
+
+
+ Return modified.
+
+
+ -
+
Otherwise:
+
+
+ If configuration["removeAttributes"] contains attribute, then return false.
-
+
If configuration["elements"] exists, then:
+
+
+ -
+
For each element in
+ configuration["elements"]:
+
+
+ If element["attributes"] (or an
+ empty list if it does not exist) contains
+ attribute, then remove attribute
+ from element["attributes"].
If element["removeAttributes"]
+ (or an empty list if it does not exist) contains
+ attribute, then remove attribute
+ from element["removeAttributes"].
+
+
+
+
+ Add attribute to
+ configuration["removeAttributes"].
Return true.
+
+
+
+
+
+ To remove unsafe from a SanitizerConfig configuration:
+
+
+ Assert: configuration is valid.
Let result be false.
-
+
For each element in built-in safe
+ baseline configuration["removeElements"]:
+
+
+ If removing
+ element from configuration is true, then set result to
+ true.
+
+
+ -
+
For each attribute in built-in safe
+ baseline configuration["removeAttributes"]:
+
+
+ If removing
+ attribute from configuration returned true, then set result to
+ true.
+
+
+ -
+
For each attribute that is an event handler content attribute:
+
+
+ If removing
+ attribute from configuration returned true, then set result to
+ true.
+
+
+ Return result.
+
+
+
+ To compare sanitizer items itemA and itemB:
+
+
+ Let namespaceA be itemA["_namespace"].
+
+ Let namespaceB be itemB["_namespace"].
+
+ -
+
If namespaceA is null, then:
+
+
+ If namespaceB is not null, then return true.
+
+
+ -
+
Otherwise:
+
+
+ If namespaceB member is null, then return false.
If namespaceA is code unit less than namespaceB, then
+ return true.
If namespaceA is not namespaceB, then return false.
+
+
+ If itemA["name"] is
+ code unit less than itemB["name"], then return true.
Return false.
+
+
+
+ To canonicalize a
+ SanitizerElementWithAttributes element:
+
+
+ Let result be the result of canonicalizing element.
-
+
If element is a dictionary, then:
+
+
+ If element["attributes"] exists, then set result["attributes"] to the
+ result of canonicalizing
+ element["attributes"].
If element["removeAttributes"]
+ exists, then set result["removeAttributes"]
+ to the result of canonicalizing
+ element["removeAttributes"].
+
+
+ If neither result["attributes"] nor
+ result["removeAttributes"]
+ exists, then set result["removeAttributes"]
+ to an empty list.
Return result.
+
+
+
+ To determine whether a canonical SanitizerConfig config is valid:
+
+ It's expected that the configuration being passing in has previously been run
+ through the canonicalize the configuration steps. We will simply assert conditions
+ that that algorithm is guaranteed to hold.
+
+
+ Assert: config["elements"] exists
+ or config["removeElements"]
+ exists.
If config["elements"] exists and config["removeElements"] exists, then return false.
Assert: Either config["processingInstructions"] exists or config["removeProcessingInstructions"]
+ exists.
If config["processingInstructions"] exists and config["removeProcessingInstructions"]
+ exists, then return false.
Assert: Either config["attributes"] exists or config["removeAttributes"] exists.
If config["attributes"]
+ exists and config["removeAttributes"] exists, then return false.
Assert: All SanitizerElementNamespaceWithAttributes,
+ SanitizerElementNamespace, SanitizerProcessingInstruction, and
+ SanitizerAttributeNamespace items in config are canonical, meaning they
+ have been run through canonicalizing, as
+ appropriate.
-
+
If config["elements"] exists:
+
+
+ If config["elements"]
+ has duplicates, then return false.
+
+
+ -
+
Otherwise:
+
+
+ If config["removeElements"] has duplicates, then return false.
+
+
+ If config["replaceWithChildrenElements"]
+ exists and has
+ duplicates, then return false.
-
+
If config["processingInstructions"] exists:
+
+
+ If config["processingInstructions"] has duplicate targets, then return false.
+
+
+ -
+
Otherwise:
+
+
+ If config["removeProcessingInstructions"]
+ has duplicates, then return false.
+
+
+ -
+
If config["attributes"]
+ exists:
+
+
+ If config["attributes"]
+ has duplicates, then return false.
+
+
+ -
+
Otherwise:
+
+
+ If config["removeAttributes"] has duplicates, then return false.
+
+
+ -
+
If config["replaceWithChildrenElements"]
+ exists:
+
+
+ -
+
For each element of
+ config["replaceWithChildrenElements"]:
+
+
+ If the built-in non-replaceable elements list contains element, then return false.
+
+
+ -
+
If config["elements"]
+ exists:
+
+
+ If the intersection of
+ config["elements"] and
+ config["replaceWithChildrenElements"]
+ is not empty, then return false.
+
+
+ -
+
Otherwise:
+
+
+ If the intersection of
+ config["removeElements"]
+ and config["replaceWithChildrenElements"]
+ is not empty, then return false.
+
+
+
+
+ -
+
If config["attributes"]
+ exists:
+
+
+ Assert: config["dataAttributes"] exists.
-
+
If config["elements"]
+ exists:
+
+
+ -
+
For each element of
+ config["elements"]:
+
+
+ If element["attributes"] exists and element["attributes"] has duplicates, then return false.
If element["removeAttributes"]
+ exists and element["removeAttributes"]
+ has duplicates, then return false.
If the intersection of
+ config["attributes"] and
+ element["attributes"] (or an
+ empty list if it does not exist) is not empty, then return false.
If element["removeAttributes"]
+ (or an empty list if it does not exist) is not a subset of
+ config["attributes"], then
+ return false.
If config["dataAttributes"] is true and
+ element["attributes"]
+ contains a custom data attribute, then return false.
+
+
+
+
+ If config["dataAttributes"] is true and
+ config["attributes"] contains a
+ custom data attribute, then return false.
+
+
+ -
+
Otherwise:
+
+
+ -
+
If config["elements"]
+ exists:
+
+
+ -
+
For each element of
+ config["elements"]:
+
+
+ If element["attributes"] exists and element["removeAttributes"]
+ exists, then return false.
If element["attributes"] exists and element["attributes"] has duplicates, then return false.
If element["removeAttributes"]
+ exists and element["removeAttributes"]
+ has duplicates, then return false.
If the intersection of
+ config["removeAttributes"] and
+ element["attributes"] (or an
+ empty list if it does not exist) is not empty, then return false.
If the intersection of
+ config["removeAttributes"] and
+ element["removeAttributes"]
+ (or an empty list if it does not exist) is not empty, then return false.
+
+
+
+
+ Assert: config["dataAttributes"] exists.
+
+
+ Return true.
+
+
+ Sanitization constants
+
+ When specified, the safe sanitization criteria
+ for each element defines whether the element is removed or
+ included by default when performing safe
+ sanitization. When unspecified, the element is not included by default, but can still be added by
+ a SanitizerConfig
+
+ The built-in safe baseline configuration is a SanitizerConfig. Its
+ removeElements list consists of all HTML
+ elements normatively marked as Removed within their
+ individual definitions, along with the script and use
+ SVG elements. Its removeAttributes list
+ corresponds to the event handler content attributes listed in this table.
+
+ The built-in safe default configuration is a SanitizerConfig. Its elements list consists of all HTML elements
+ normatively marked as included by default
+ within their individual definitions, alongside the MathML and SVG elements listed in the table
+ below:
+
+
+
+
+ Element
+ Namespace
+ Allowed Attributes
+
+
+ math
+ MathML
+
+
+ merror
+ MathML
+
+
+ mfrac
+ MathML
+
+
+ mi
+ MathML
+
+
+ mmultiscripts
+ MathML
+
+
+ mn
+ MathML
+
+
+ mo
+ MathML
+ fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric
+
+ mover
+ MathML
+ accent
+
+ mpadded
+ MathML
+ depth, height, lspace, voffset, width
+
+ mphantom
+ MathML
+
+
+ mprescripts
+ MathML
+
+
+ mroot
+ MathML
+
+
+ mrow
+ MathML
+
+
+ ms
+ MathML
+
+
+ mspace
+ MathML
+ depth, height, width
+
+ msqrt
+ MathML
+
+
+ mstyle
+ MathML
+
+
+ msub
+ MathML
+
+
+ msubsup
+ MathML
+
+
+ msup
+ MathML
+
+
+ mtable
+ MathML
+
+
+ mtd
+ MathML
+ columnspan, rowspan
+
+ mtext
+ MathML
+
+
+ mtr
+ MathML
+
+
+ munder
+ MathML
+ accentunder
+
+ munderover
+ MathML
+ accent, accentunder
+
+ semantics
+ MathML
+
+
+ a
+ SVG
+ href, hreflang, type
+
+ circle
+ SVG
+ cx, cy, pathLength, r
+
+ defs
+ SVG
+
+ desc
+ SVG
+
+ ellipse
+ SVG
+ cx, cy, pathLength, rx, ry
+
+ foreignObject
+ SVG
+ height, width, x, y
+
+ g
+ SVG
+
+ line
+ SVG
+ pathLength, x1, x2, y1, y2
+
+ marker
+ SVG
+ markerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox
+
+ metadata
+ SVG
+
+ path
+ SVG
+ d, pathLength
+
+ polygon
+ SVG
+ pathLength, points
+
+ polyline
+ SVG
+ pathLength, points
+
+ rect
+ SVG
+ height, pathLength, rx, ry, width, x, y
+
+ svg
+ SVG
+ height, preserveAspectRatio, viewBox, width, x, y
+
+ text
+ SVG
+ dx, dy, lengthAdjust, rotate, textLength, x, y
+
+ textPath
+ SVG
+ lengthAdjust, method, path, side, spacing, startOffset, textLength
+
+ title
+ SVG
+
+ tspan
+ SVG
+ dx, dy, lengthAdjust, rotate, textLength, x, y
+
+
+ The built-in navigating URL attributes list corresponds to all HTML elements marked
+ with Navigating URL attributes in their normative definitions, as well as elements
+ corresponding to the following table:
+
+
+
+
+ Element
+ Element Namespace
+ Attribute
+ Attribute Namespace
+
+
+ a
+ SVG
+ href
+
+ a
+ SVG
+ href
+ xlink
+
+
+ The built-in animating URL attributes list corrsponds to the following table:
+
+
+
+
+ Element
+ Element Namespace
+ Attribute
+
+
+ animate
+ SVG
+ attributeName
+
+ animateTransform
+ SVG
+ attributeName
+
+ set
+ SVG
+ attributeName
+
+
+ The built-in non-replaceable elements list contains elements that must not be
+ replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree.
+ It is the following list of SanitizerElementNamespace dictionaries:
+
+
+
+
+ Element
+ Element Namespace
+
+
+ html
+ HTML
+
+ svg
+ SVG
+
+ math
+ MathML
+
+
+
+ Security considerations
+
+
+
+ The Sanitizer API is intended to prevent DOM-based cross-site scripting by traversing a
+ supplied HTML content and removing elements and attributes according to a configuration. The
+ specified API is designed to not support the construction of a Sanitizer object that leaves
+ script-capable markup in and doing so would be a bug in the threat model. That being said, there
+ are security issues which the correct usage of the Sanitizer API will not be able to protect
+ against and the scenarios will be laid out in the following sections.
+
+ Server-side reflected and stored XSS
+
+
+
+ The Sanitizer API operates solely in the DOM and adds a capability to traverse and filter an
+ existing DocumentFragment. The Sanitizer does not address server-side reflected or
+ stored XSS
.
+
+ DOM clobbering
+
+
+
+ DOM clobbering describes an attack in which malicious HTML confuses an application by naming
+ elements through id or name
+ attributes such that properties like children of an HTML element in the DOM are overshadowed by
+ the malicious content. The Sanitizer API does not protect DOM clobbering attacks in its default
+ state, but can be configured to remove id and name attributes.
+
+ XSS with script gadgets
+
+ Script gadgets are a technique in which an attacker uses existing application code from popular
+ JavaScript libraries to cause their own code to execute. This is often done by injecting
+ innocent-looking code or seemingly inert DOM nodes that is only parsed and interpreted by a
+ framework which then performs the execution of JavaScript based on that input.
+
+ The Sanitizer API can not prevent these attacks, but requires page authors to explicitly allow
+ unknown elements in general, and authors required to additionally explicitly configure unknown
+ attributes and elements and markup that is known to be widely used for templating and
+ framework-specific code, like data-* and slot attributes and elements like slot and
+ template. These restrictions are not exhaustive and encourage page authors to examine
+ their third party libraries for this behavior.
+
+ Mutation XSS
+
+ Mutation XSS or mXSS describes an attack that exploits cases where the parsed DOM structure is
+ not the same after serializing and parsing again, to bypass sanitization that happens before
+ serialization. An example for carrying out such an attack is by when inserted into a different
+ parent element. An example for carrying out such an attack is by relying on the change of parsing
+ behavior for foreign content or mis-nested tags. The Sanitizer API offers only functions that turn
+ a string into a node tree. The context is supplied implicitly by all sanitizer functions: setHTML() uses the current element; Document.parseHTML() creates a new document. Therefore Sanitizer API
+ is not directly affected by mutation XSS. If a developer were to retrieve a sanitized node tree as
+ a string, e.g. via .innerHTML, and to then parse it again then mutation XSS can occur. This
+ practice is strongly discouraged. If processing or passing of HTML as a string is necessary after
+ all, then any string is considered untrusted and re-sanitized when inserted into the DOM. In other
+ words, a sanitized and then serialized HTML tree can no longer be considered as sanitized. A more
+ complete treatment of mXSS can be found in MXSS.
+
Timers
The setTimeout() and StorageEventInit : EventInit {
data-x="dom-Range-createContextualFragment">createContextualFragment().
-
A fragment parser scripting mode is either Inert or Fragment.
-
The frameset-ok flag is set to "ok" when the parser is created. It is set to "not
ok" after certain tokens are seen.
@@ -141417,6 +144662,13 @@ document.body.appendChild(text);
Let mode be templateStartTag's shadowrootmode attribute's value.
Let slotAssignment be "named".
If templateStartTag's shadowrootslotassignment attribute is
+ in the Manual state, then
+ set slotAssignment to "manual".
Let clonable be true if templateStartTag has a shadowrootclonable attribute; otherwise
false.
-
Attach a shadow root with
declarativeShadowHostElement, mode, clonable,
- serializable, delegatesFocus, "named", and
+ serializable, delegatesFocus, slotAssignment, and
registry.
If an exception is thrown, then catch it and:
@@ -145237,6 +148489,10 @@ document.body.appendChild(text);
If shadow's serializable is set, then append
" shadowrootserializable=""".
If shadow's slot assignment is "manual", then append " shadowrootslotassignment="manual"".
If shadow's clonable is set, then append
" shadowrootclonable=""".
The HTML fragment parsing algorithm, given an Element node context, string input, an
optional boolean allowDeclarativeShadowRoots (default false), and an optional
- fragment parser scripting mode scriptingMode (default parser scripting mode scriptingMode (default Inert) is the following steps. They return a list of zero or
more nodes.
@@ -145621,12 +148877,19 @@ console.assert(container.firstChild instanceof SuperP);
handling this algorithm, then that is an error in the specification.
+ Assert: scriptingMode is either Inert or Fragment.
+
Let document be a Document node whose type is "html".
If context's node document is
- in quirks mode, then set document's mode to "quirks".
Let contextDocument be context's
+ node document.
If contextDocument is in quirks mode, then set
+ document's mode to "quirks".
Otherwise, if context's node
document is in limited-quirks mode, then set document's Create a new HTML parser, and associate it with document.
-
-
If document's scripting is enabled, then set the parser's
- scripting mode to scriptingMode.
+ If contextDocument's scripting is
+ disabled, then set scriptingMode to Disabled.
This appears broken, as the document created for fragment parsing does not have a
- browsing context, which would make it parse noscript as if scripting was disabled.
- See issue #12254.
-
+ Set the parser's scripting mode to scriptingMode.
-
Set the state of the HTML parser's tokenization stage as
@@ -149216,12 +152475,12 @@ select:disabled {
min-inline-size: anchor-size(self-inline);
max-block-size: stretch;
overflow: auto;
- position-area: block-end span-inline-end;
+ position-area: self-block-end span-self-inline-end;
position-try-order: most-block-size;
position-try-fallbacks:
- block-start span-inline-end,
- block-end span-inline-start,
- block-start span-inline-start;
+ self-block-start span-self-inline-end,
+ self-block-end span-self-inline-start,
+ self-block-start span-self-inline-start;
}
select::picker-icon {
@@ -152392,6 +155651,7 @@ interface External {
crossorigin;
usemap;
ismap;
+ controls;
width;
height;
referrerpolicy;
@@ -153156,6 +156416,7 @@ interface External {
globals;
shadowrootmode;
shadowrootdelegatesfocus;
+ shadowrootslotassignment;
shadowrootclonable;
shadowrootserializable;
shadowrootcustomelementregistry
@@ -153623,7 +156884,7 @@ interface External {
a (if the href attribute is present);
audio (if the controls attribute is present);
- img (if the usemap attribute is present);
+ img (if the usemap or controls attribute is present);
input (if the type attribute is not in the Hidden state);
video (if the controls attribute is present)
@@ -154032,6 +157293,7 @@ interface External {
controls
audio;
video
+ img;
Show user agent controls
Boolean attribute
@@ -154717,6 +157979,12 @@ interface External {
template
Sets serializable on a declarative shadow root
Boolean attribute
+
+ shadowrootslotassignment
+ template
+ Sets slot assignment on a declarative shadow root
+ "named";
+ "manual"
shape
area
@@ -156760,6 +160028,9 @@ INSERT INTERFACES HERE
- [JSDYNAMICCODEBRANDCHECKS]
- Dynamic code brand checks. Ecma International.
+ - [JSIMPORTTEXT]
+ - Import Text. Ecma International.
+
- [JSINTL]
- ECMAScript Internationalization API Specification. Ecma International.
@@ -156822,6 +160093,9 @@ INSERT INTERFACES HERE
- [MULTIPLEBUFFERING]
- (Non-normative) Multiple buffering. Wikipedia.
+ - [MXSS]
+ - mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations, M. Heiderich, J. Schwenk, T. Frosch, J. Magazinius, and E. Z. Yang. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS '13), Berlin, Germany, 2013.
+
- [NAVIGATIONTIMING]
- Navigation Timing, Y. Weiss. W3C.
@@ -157475,6 +160749,7 @@ INSERT INTERFACES HERE
Eduardo Vela,
Edward Welbourne,
Edward Z. Yang,
+ Eemeli Aro,
Ehsan Akhgari,
Ehsan Karamad,
Eira Monstad,
@@ -158010,6 +161285,7 @@ INSERT INTERFACES HERE
Prateek Rungta,
Pravir Gupta,
Prayag Verma,
+ Psychpsyo,
李普君 (Pujun Li),
Rachid Finge,
Rafael Weinstein,
@@ -158263,6 +161539,7 @@ INSERT INTERFACES HERE
Yi-An Huang,
Yngve Nysaeter Pettersen,
Yoav Weiss,
+ Yoel Hawa,
Yonathan Randolph,
Yu Huojiang,
Yuki Okushi,