Upstream sanitizer api#12395
Conversation
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
223a4d1 to
d2034e5
Compare
|
@zcorpan @evilpie @mozfreddyb @otherdaniel |
|
Amazing, thanks for working on this. The built-in safe default configuration is pretty integral to the API, where did I go? For anyone else looking at this, the gist of the changes are in dynamic-markup-insertion.html. |
Oh you're right I had it on my todo list and forgot. Getting to it. Thanks! |
Done. |
|
I thought as part of moving this into the HTML standard we'd also address the parser integration issue? |
This is a huge PR so I thought doing it in two stages, the first one being a purely technical upstream, would be easier to review? Open and happy to incorporate the stream-while-parsing changes in this PR if you and @zcorpan are ok to review that in one go. |
|
I prefer doing the parser integration in a follow-up PR. |
|
I think these three PRs would be good to merge before merging into the HTML standard: |
Since some security sensitive changes rely on "sanitizing while parsing", and that in turn relies on the current post-processing sanitizer being upstreamed, I don't think we should delay upstreaming any further. Can we race it? If any of these go in before the upstream PR is in I'll incorporate them into the HTML PR. |
| data-x="dom-SanitizerProcessingInstruction-target">target</code> member.</p> | ||
| </div> | ||
|
|
||
| <div algorithm> |
There was a problem hiding this comment.
Opened whatwg/infra#709 for now.
I'm not sure about the comparator thing - infra doesn't really say what it means that two items in a list are the same. Would it be enough to mention here whaht makes items of attributes/elements/... lists "equal"
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
otherdaniel
left a comment
otherdaniel
left a comment
There was a problem hiding this comment.
Thank you, and I'm super happy to see this happening!
I wonder if we can link to the "Security Considerations" section in the current spec; or have them in a supplementary document somewhere?
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
ea79a5b to
1e065df
Compare
I've upstreamed them instead into a security consideration subsection |
|
I've refactored some of the sanitization constants to go into each element's definition instead of being in one huge table. I think that makes it less error prone when we add new elements in the future. If that's undesirable I'm happy to revert. |
| data-x="dom-SanitizerProcessingInstruction-target">target</code> member.</p> | ||
| </div> | ||
|
|
||
| <div algorithm> |
| <dd>« »</dd> | ||
|
|
||
| <dt><code data-x="dom-SanitizerConfig-attributes">attributes</code></dt> | ||
| <dd>all <span>global attributes</span>, alongside the MathML and SVG presentation attributes</dd> |
There was a problem hiding this comment.
https://wicg.github.io/sanitizer-api/#built-in-safe-default-configuration:~:text=%22processingInstructions%22%3A%20%5B%5D%2C%20%22attributes,null%20%7D%20%5D%2C doesn't list all global attributes. Which MathML and SVG presentation attributes?
| @@ -16164,6 +16266,7 @@ interface <dfn interface>HTMLTitleElement</dfn> : <span>HTMLElement</span> { | |||
| data-x="concept-element-accessibility-considerations">Accessibility considerations</span>:</dt> | |||
| <dd><a href="https://w3c.github.io/html-aria/#el-base">For authors</a>.</dd> | |||
| <dd><a href="https://w3c.github.io/html-aam/#el-base">For implementers</a>.</dd> | |||
| <dd><span>Navigating URL attributes</span>: <code data-x="attr-base-href">href</code>.</dd> | |||
There was a problem hiding this comment.
Missing
<dt><span data-x="concept-element-sanitization">Safe sanitization</span>:</dt>
Same issue for some other elements.
There was a problem hiding this comment.
Do we need that for all elements? I only have it for removed/included by default elements
and there is this phrase:
<p>When specified, the <dfn data-x="concept-element-sanitization">safe sanitization</dfn> criteria
for each element defines whether the element is <dfn data-x="sanitizer-removed">removed</dfn> or
<dfn data-x="sanitizer-included-by-default">included by default</dfn> when performing safe
sanitization. When unspecified, the element is not included by default, but can still be added by
a <code>SanitizerConfig</code></p>
Should I define "allowed" as a 3rd option and define all of these?
There was a problem hiding this comment.
Not needed for all elements, but as is now this line is under "accessibility considerations" which is not correct.
| steps">sanitize</span> <var>child</var>'s <span>shadow root</span> given | ||
| <var>configuration</var> and <var>handleJavascriptNavigationUrls</var>.</p></li> | ||
|
|
||
| <li><p>Let <var>elementWithLocalAttributes</var> be « ».</p></li> |
| <dd><span>Navigating URL attributes</span>: <code data-x="attr-hyperlink-href">href</code>, <code | ||
| data-x="attr-hyperlink-hreflang">hreflang</code>, <code | ||
| data-x="attr-hyperlink-type">type</code>.</dd> |
There was a problem hiding this comment.
hreflang and type should not be listed here.
| <h5 id="sanitizer-security-script-gadgets">XSS with script gadgets</h5> | ||
|
|
| framework which then performs the execution of JavaScript based on that input.</p> | ||
|
|
||
| <p>The Sanitizer API can not prevent these attacks, but requires page authors to explicitly allow | ||
| unknown elements in general, and authors required to additionally explicitly configure unknown |
There was a problem hiding this comment.
"required" is a normative keyword (and "authors required" is not grammatically correct).
| <tr> | ||
| <td><code data-x="SVG defs">defs</code> | ||
| <td><span data-x="SVG namespace">SVG</span> | ||
| <td> <tr> |
There was a problem hiding this comment.
Missing linebreak (also in more places in this table)
…nition lists near the top of the file
noamr
force-pushed
the
zcorpan/upstream-sanitizer-api
branch
from
5adaf4c to
6ba99b9
Compare
5 participants
Convert the incubated spec in https://wicg.github.io/sanitizer-api/ to the HTML format and make it part of the HTML standard.
(See WHATWG Working Mode: Changes for more details.)
/canvas.html ( diff )
/comms.html ( diff )
/dom.html ( diff )
/dynamic-markup-insertion.html ( diff )
/edits.html ( diff )
/embedded-content-other.html ( diff )
/form-elements.html ( diff )
/forms.html ( diff )
/grouping-content.html ( diff )
/iframe-embed-object.html ( diff )
/image-maps.html ( diff )
/imagebitmap-and-animations.html ( diff )
/index.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/interaction.html ( diff )
/interactive-elements.html ( diff )
/microdata.html ( diff )
/parsing.html ( diff )
/references.html ( diff )
/rendering.html ( diff )
/scripting.html ( diff )
/sections.html ( diff )
/semantics.html ( diff )
/system-state.html ( diff )
/tables.html ( diff )
/text-level-semantics.html ( diff )
/timers-and-user-prompts.html ( diff )
/web-messaging.html ( diff )
/webstorage.html ( diff )
/workers.html ( diff )