HTML Sanitizer API

Three cheers for (draft stage) progress on a Sanitizer API! It’s gospel that you can’t trust user input. And indeed, any app I’ve ever worked on has dealt with bad actors trying to slip in and execute nefarious code …


This content originally appeared on CSS-Tricks and was authored by Chris Coyier

Three cheers for (draft stage) progress on a Sanitizer API! It’s gospel that you can’t trust user input. And indeed, any app I’ve ever worked on has dealt with bad actors trying to slip in and execute nefarious code somewhere it shouldn’t.

It’s the web developer’s job to clean user input before it is used again on the page (or stored, or used server-side). This is typically done with our own code or libraries that are pulled down to help. We might write a RegEx to strip anything that looks like HTML (or the like), which has the risk of bugs and those bad actors finding a way around what our code is doing.

Instead of user-land libraries or our dancing with it ourselves, we could let the browser do it:

// some function that turns a string into real nodes
const untrusted_input = to_node("<em onclick='alert(1);'>Hello!</em>");

const sanitizer = new Sanitizer();
sanitizer.sanitize(untrusted_input);  // <em>Hello!</em>

Then let it continue to be a browser responsibility over time. As the draft report says:

The browser has a fairly good idea of when it is going to execute code. We can improve upon the user-space libraries by teaching the browser how to render HTML from an arbitrary string in a safe manner, and do so in a way that is much more likely to be maintained and updated along with the browser’s own changing parser implementation.

This kind of thing is web standards at its best. Spot something annoying (and/or dangerous) that tons of people have to do, and step in to make it safer, faster, and better.

To Shared LinkPermalink on CSS-Tricks


This content originally appeared on CSS-Tricks and was authored by Chris Coyier


Print Share Comment Cite Upload Translate Updates
APA

Chris Coyier | Sciencx (2021-12-16T18:21:31+00:00) HTML Sanitizer API. Retrieved from https://www.scien.cx/2021/12/16/html-sanitizer-api/

MLA
" » HTML Sanitizer API." Chris Coyier | Sciencx - Thursday December 16, 2021, https://www.scien.cx/2021/12/16/html-sanitizer-api/
HARVARD
Chris Coyier | Sciencx Thursday December 16, 2021 » HTML Sanitizer API., viewed ,<https://www.scien.cx/2021/12/16/html-sanitizer-api/>
VANCOUVER
Chris Coyier | Sciencx - » HTML Sanitizer API. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/12/16/html-sanitizer-api/
CHICAGO
" » HTML Sanitizer API." Chris Coyier | Sciencx - Accessed . https://www.scien.cx/2021/12/16/html-sanitizer-api/
IEEE
" » HTML Sanitizer API." Chris Coyier | Sciencx [Online]. Available: https://www.scien.cx/2021/12/16/html-sanitizer-api/. [Accessed: ]
rf:citation
» HTML Sanitizer API | Chris Coyier | Sciencx | https://www.scien.cx/2021/12/16/html-sanitizer-api/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.