Skip to content

Sanitizer API: Catch-all for replacing custom elements with children #12626

Description

@SheepTester

What is the issue with the HTML Standard?

In the Sanitizer API spec, the sanitizer configuration only allows for defining an allowlist of elements that can be replaced with their children (replaceWithChildrenElements), while for keeping elements, it supports either an allowlist (elements) or blocklist (removeElements).

That means that the configuration doesn't allow for allowing any custom element to be replaced with its children. I understand that keeping custom elements can be dangerous, but from what I can tell, replacing custom elements with their children should be fairly harmless because it avoids constructing the custom element, and I don't think it leads to the same situation as with html/svg/math.

The use case for replacing custom elements with their children is for sanitizing rich text from the user's clipboard. When copying from sites like MDN, GitHub, or Gemini, the web page's custom elements can get included in the clipboard HTML. By default, all custom elements are removed entirely even if there's normal content inside them.

Anyways, this doesn't seem to be a blocker because I think extracting all custom-element-looking tags from the HTML suffices, but it's a little contrived:

wrapper.setHTML(html, {
  sanitizer: {
    // ...
    replaceWithChildrenElements: [
      // ...
      ...new Set(html.matchAll(/<([a-z][a-z0-9]*-[a-z0-9-]+)/g).map(match => match[1]))
    ]
  }
})

I'd like to know if this was an intentional design choice, and whether sanitizing HTML from the clipboard is an intended use of the Sanitizer API.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions