diff --git a/faq.md b/faq.md deleted file mode 100644 index 3d228c1..0000000 --- a/faq.md +++ /dev/null @@ -1,147 +0,0 @@ - Sanitizer API - FAQs -====================== - -## How do I use the Sanitizer API - -Construct a new Sanitizer, using either the defaults or suppliying a custom -configuration, and then pass in a string, a fragment, or an entire document -for sanitization. - -```js -const s = new Sanitizer(); - -// Returns a DOM Fragment equivalent to "Hello World". -s.sanitize("Hello World"); -``` - -## Can I use the Sanitizer in my app? - -Not yet. Current browser support is preliminary and incomplete and still -diverges in several details. And the specification itself is still in flux. -We expect to be working through these issues in the coming months. - -If you wish to try it out already: - -* Firefox: Go to `about:config`, search for the `dom.security.sanitizer.enabled` - flag and set it to true - -* Chromium / Chrome: Start the browser with the - `--enable-blink-features=SanitizerAPI` flag. - -## Do I have to supply my own Sanitizer configuration? What is the default? - -The default configuration will block all content that causes script execution. -unknown elements, plus a handful of deprecated elements. -It is safe against any direct XSS. - -```js -const default_sanitizer = new Sanitizer(); - -// Returns a DOM Fragment equivalent to "Hello World". -default_sanitizer.sanitize("Hello World"); - -// Complex formatting is allowed by default. This will return a fragment -// equivalent to its input. -default_sanitizer.sanitize("
Hello World
"); - -// Script execution is no-no: Returns "

Hello

" -default_sanitizer.sanitize("

Hello

"); -``` - -## Is Sanitizer output secure? - -'Secure' means different things in different contexts. The Sanitizer guarantees -safety from direct script execution in all configurations. This cannot be -overridden by custom configurations. - -```js -// Produces an empty fragment. There is no way to allow the "); -``` - -Other notions of safety can likely be configured. For example, if an -application relies on the `id=` attribute and does not wish user-supplied input -to introduce unforseen `id=` attribute values, then the application can easily -configure a block a Sanitizer to block the this attribute. However, the -application must ensure on its own that all parts of the application -(including any of its dependencies) will adhere to this restriction. - -Note: When we refer to "direct" script execution, we mean all markup that will - cause the browser to parse and execute script, such as the `