From 0bcc9425941f75ec6a927624e9d5580b7ffe0ee4 Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim <30862698+otherdaniel@users.noreply.github.com> Date: Fri, 24 Nov 2023 17:15:52 +0100 Subject: [PATCH] Add more examples. (#196) More examples, based on in-meeting discussions. Co-authored-by: Anne van Kesteren --- explainer.md | 223 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 205 insertions(+), 18 deletions(-) diff --git a/explainer.md b/explainer.md index a69bba7..1ff05c2 100644 --- a/explainer.md +++ b/explainer.md @@ -96,6 +96,8 @@ that navigate. The 'unsafe' methods will not apply any filtering if no explicit config is supplied. +> [!Note] The 'unsafe' methods are being worked on here: https://github.com/whatwg/html/pull/9538 + ## Major differences to previously proposed APIs: The currently proposed API differs in a number of aspects: @@ -106,6 +108,7 @@ The currently proposed API differs in a number of aspects: - Enforcement of a security baseline depends on the method. The filter/sanitizer config can now be used differently, either in a guaranteed-secure way or in use-config-as-written way. +- The configuration dictionary differs substantially in syntax. ## Open questions: @@ -115,10 +118,6 @@ The currently proposed API differs in a number of aspects: dictionary? (As-is, it should probably be a dictionary. An object would require either compelling performance numbers, or a compelling operation that would only work with a pre-processed dictionary.) -- Exact filter options syntax. I'm assuming this will follow the discussion in - #181. -- Naming is TBD. Here I'm trying to follow the preferences expressed in the - recent 'sync' meeting. ## Examples @@ -148,8 +147,11 @@ Document.parseHTML(example_tr); // A table row. All of these would have had identical results if the "unsafe" variants had been used. +### Parsing in XML documents + Parsing follows HTML parsing rules, unlike `innerHTML`, where it depends on the document type: + ```js const element_xml = new DOMParser().parseFromString("
", "application/xhtml+xml").getElementsByTagName("div")[0]; const example_not_xml = "
bla"; @@ -161,39 +163,60 @@ element_xml.setHTML(example_not_xml); //
`); //
``` +Note that the context node might also be a script element. In this case adding +plain text to it creates new script content: + +```js +const sneaky = document.createElement("script"); +sneaky.setHTMLUnsafe("alert('Surprise!');"); +// +``` + +For the "safe" versions this case will be treated specially. `setHTML` checks +the context element and calling it on a ` +sneaky.setHTML("alert('Surprise!');"); // +``` + +### Configuration Options: Basic use and namespaces + The operation of the built-in sanitizer can be configured to suit your applications' needs. Both "safe" and "unsafe" versions can take a configuration. -(Please note that naming and structure here is rather preliminary, -but we expect these capabilities to be in the final standard.) The "safe" version will ignore configuration items that break its security guarantees: ```js -const an_unsafe_config = { 'allowElements': [ { name: 'script' } ] }; +const an_unsafe_config = { 'elements': [ { name: 'script' } ] }; element.setHTML("