Re: Sanitising HTML content through sandboxing from Adam Barth on 2011-11-10 (public-webapps@w3.org from October to December 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 10 Nov 2011 15:16:54 -0800
To: Ryan Seddon <seddon.ryan@gmail.com>
Cc: Henri Sivonen <hsivonen@iki.fi>, public-webapps@w3.org
Message-ID: <CAJE5ia_qvLZW5+JWRgKBh2mchitoYmpOPe+1eWaD4ebyutWf+g@mail.gmail.com>

On Thu, Nov 10, 2011 at 3:05 PM, Ryan Seddon <seddon.ryan@gmail.com> wrote:
>> DOMParser.parseFromString already takes a content type as the second
>>
>> argument. The plan is to support HTML parsing when the second argument
>> is text/html.
>
> I quite like this as it keeps it agnostic towards what it is parsing so
> other formats like MathML and SVG won't look out of place with HTMLParser
> object.
>
> How would this handle sanitising?

The web page could walk the parsed DOM and sanitize it however it
liked before adopting the nodes from the detached document into its
own document.

Adam

Received on Thursday, 10 November 2011 23:23:32 UTC