Conversation
|
Two things for the top comment, I don't think you do fold set and filter html anymore? Also this also doesn't touch execCommand with the insertHTML command. (This is probably the right move because that isnt specced correctly to start with. But worth calling out probably). |
| while <span data-x="allow declarative shadow roots">declarative shadow roots</span> are ignored. | ||
| <span data-x="XML documents">XML documents</span> are parsed using the XML parser.</dd> | ||
|
|
||
| <dt><dfn data-x="fragment-parser-mode-unsafe">Unsafe</dfn></dt> |
There was a problem hiding this comment.
Is it worth clarifying the XML behaviour here and below?
There was a problem hiding this comment.
sure, added something
Thanks, OP updated. |
|
Did we decide it was okay to not enforce the sanitizing if the document was XML? |
That's what I understood but @mozfreddyb, @evilpie or @otherdaniel would know more. Sanitization is not specified for the XML parser. |
What I remember is that we specified Sanitizer API only for methods that would inherently only support HTML syntax. This is probably best articulated in the hopelessly outdated explainer Nearly all interesting bits are specified in terms of DOM & DOM operations, so I'd expect this to be easy to adapt to XML. But IMHO, application to XML-parser parse trees requires a second look, since it invalidates one of the assumptions we had when specifying any of this. A silly example, but the only one I can think of: CDataSection in https://wicg.github.io/sanitizer-api/#sanitize-core step 1.1. That shouldn't be difficult to fix; but at least for now Sanitizer would assert-fail on (some) XML parse trees. In our implementation, there's a runtime assert there. |
|
I guess my main concern is people defining a trusted types policy with this new function thinking it protects them and then it doesn't because they're in XHTML or something? Assuming I'm reading this right you'd end up with a default policy explicitly setup to remove unsafe and then it actually no-ops when it's called by a legacy sync in XML. |
You mean sink? Yea it's limited in that way. But |
I think that the specific guidance to developers to be to check the type of document when they create the default policy, use createHTML with the appropriate userland sanitizer if either this is an XML document or TrustedParserOptions is not supported, and createParserOptions otherwise |
In almost* all of the places where where TrustedTypes'
createHTMLis called,we now also check for
createParserOptionsand call that if it's available, by calling "get trusted types compliant input" instead of "get trusted types compliant string".The exceptions to this are
srcdoc,document.write(), and theinsertHTMLexecCommand. We can resolve separately as to whether these should also be sanitized withcreateParserOptions.This now allows us to use the sanitizer in legacy markup insertion methods like the
innerHTMLsetter, and todisallow running scripts in
createContextualFragment.Since all markup insertion methods can now include a sanitizer, most of the steps from "set and filter HTML" are folded into the "fragment parsing algorithm steps", and it's assumed that there is always a sanitizer (though sometimes with an empty configuration).
Together with w3c/trusted-types#606
(See WHATWG Working Mode: Changes for more details.)
💥 Error: Wattsi server error 💥
PR Preview failed to build. (Last tried on Jul 17, 2026, 1:14 PM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.
🔗 Related URL
Error output:
This seems to be an issue with the Wattsi Server service. PR Preview doesn't manage this service and so has no control over it. If you've identified an issue with it, you can report the issue to the maintainers of Wattsi Server directly. Please be courteous. Thank you!
If you don't have enough information above to solve the error by yourself or if the issue doesn't seem related to Wattsi Server, you can file an issue with PR Preview.