What is the issue with the HTML Standard?
In the Sanitizer API spec, the sanitizer configuration only allows for defining an allowlist of elements that can be replaced with their children (replaceWithChildrenElements), while for keeping elements, it supports either an allowlist (elements) or blocklist (removeElements).
That means that the configuration doesn't allow for allowing any custom element to be replaced with its children. I understand that keeping custom elements can be dangerous, but from what I can tell, replacing custom elements with their children should be fairly harmless because it avoids constructing the custom element, and I don't think it leads to the same situation as with html/svg/math.
The use case for replacing custom elements with their children is for sanitizing rich text from the user's clipboard. When copying from sites like MDN, GitHub, or Gemini, the web page's custom elements can get included in the clipboard HTML. By default, all custom elements are removed entirely even if there's normal content inside them.
Anyways, this doesn't seem to be a blocker because I think extracting all custom-element-looking tags from the HTML suffices, but it's a little contrived:
wrapper.setHTML(html, {
sanitizer: {
// ...
replaceWithChildrenElements: [
// ...
...new Set(html.matchAll(/<([a-z][a-z0-9]*-[a-z0-9-]+)/g).map(match => match[1]))
]
}
})
I'd like to know if this was an intentional design choice, and whether sanitizing HTML from the clipboard is an intended use of the Sanitizer API.
What is the issue with the HTML Standard?
In the Sanitizer API spec, the sanitizer configuration only allows for defining an allowlist of elements that can be replaced with their children (
replaceWithChildrenElements), while for keeping elements, it supports either an allowlist (elements) or blocklist (removeElements).That means that the configuration doesn't allow for allowing any custom element to be replaced with its children. I understand that keeping custom elements can be dangerous, but from what I can tell, replacing custom elements with their children should be fairly harmless because it avoids constructing the custom element, and I don't think it leads to the same situation as with html/svg/math.
The use case for replacing custom elements with their children is for sanitizing rich text from the user's clipboard. When copying from sites like MDN, GitHub, or Gemini, the web page's custom elements can get included in the clipboard HTML. By default, all custom elements are removed entirely even if there's normal content inside them.
Anyways, this doesn't seem to be a blocker because I think extracting all custom-element-looking tags from the HTML suffices, but it's a little contrived:
I'd like to know if this was an intentional design choice, and whether sanitizing HTML from the clipboard is an intended use of the Sanitizer API.