(developer.mozilla.org)

205 points todsacerdoti | 2 comments | 22 Oct 25 09:03 UTC | HN request time: 0.415s | source

Show context

CGamesPlay ◴[23 Oct 25 03:51 UTC] No.45678000[source]▶

Is “XSS-unsafe” precisely defined anywhere? I assume it means “any access to the JS interpreter”, but assuming in this context seems decidedly unsafe.

replies(1): >>45678102 #

1. pyth0 ◴[23 Oct 25 04:13 UTC] No.45678102[source]▶

>>45678000 #

It appears you can tune what is sanitized from the input via the "sanitizer" optional parameter. The default sanitizer is however defined in a spec linked on the docs page [1] with the actual sanitize operation specified as well [2].

[1] https://wicg.github.io/sanitizer-api/#dom-element-sethtml

[2] https://wicg.github.io/sanitizer-api/#sanitize

replies(1): >>45678371 #

2. CGamesPlay ◴[23 Oct 25 05:16 UTC] No.45678371[source]▶

>>45678102 (TP) #

Ah, perfect, the "remove unsafe" operation is what I was looking for. It includes a list of elements and a list of attributes. These appear to apply regardless of the sanitizer configuration you use, the original MDN link demonstrates allowlisting "script" but seeing that it is removed anyways.

https://wicg.github.io/sanitizer-api/#sanitizerconfig-remove...

↑

Element: setHTML() method