From 5ea6f36077d34d8186346dcc712e8eeb21ff88cf Mon Sep 17 00:00:00 2001 From: Simon Pieters Date: Wed, 25 Mar 2026 17:24:52 +0100 Subject: [PATCH 01/35] Upstream the Sanitizer API See https://github.com/WICG/sanitizer-api/issues/291 --- source | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 115 insertions(+), 9 deletions(-) diff --git a/source b/source index f9b7fb2ae66..a4749d246f9 100644 --- a/source +++ b/source @@ -11421,7 +11421,8 @@ typedef (HTMLScriptElement or SVGScriptElement) LegacyOverrideBuiltIns] partial interface Document { - static Document parseHTMLUnsafe((TrustedHTML or DOMString) html); + static Document parseHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {}); + static Document parseHTML((TrustedHTML or DOMString) html, optional SetHTMLOptions options = {}); // resource metadata management [PutForwards=href, LegacyUnforgeable] readonly attribute Location? location; @@ -124684,7 +124685,8 @@ document.body.appendChild(frame)

DOM parsing and serialization APIs

partial interface Element {
-  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
+  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
+  [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {});
   DOMString getHTML(optional GetHTMLOptions options = {});
 
   [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
@@ -124693,12 +124695,21 @@ document.body.appendChild(frame)
}; partial interface ShadowRoot { - [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html); + [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {}); + [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {}); DOMString getHTML(optional GetHTMLOptions options = {}); [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML; }; +enum SanitizerPresets { "default" }; +dictionary SetHTMLOptions { + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; +}; +dictionary SetHTMLUnsafeOptions { + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; +}; + dictionary GetHTMLOptions { boolean serializableShadowRoots = false; sequence<ShadowRoot> shadowRoots = []; @@ -124876,10 +124887,10 @@ enum DOMParserSupportedType {
element.setHTMLUnsafe(html)
+ data-x="dom-Element-setHTMLUnsafe">setHTMLUnsafe(html, options)
-

Parses html using the HTML parser, and replaces the children of element +

Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the HTML parser.

@@ -124887,16 +124898,16 @@ enum DOMParserSupportedType { data-x="dom-ShadowRoot-setHTMLUnsafe">setHTMLUnsafe(html)
-

Parses html using the HTML parser, and replaces the children of +

Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser.

doc = Document.parseHTMLUnsafe(html)
+ data-x="dom-parseHTMLUnsafe">parseHTMLUnsafe(html, options)
-

Parses html using the HTML parser, and returns the resulting +

Parses html using the HTML parser with options options, and returns the resulting Document.

Note that script elements are not evaluated during parsing, and the resulting @@ -124972,7 +124983,7 @@ enum DOMParserSupportedType {

The static parseHTMLUnsafe(html) method steps are:

+ data-x="dom-parseHTMLUnsafe">parseHTMLUnsafe(html, options) method steps are:

  1. Let compliantHTML be the result of invoking the DOMParserSupportedType {

  2. Parse HTML from a string given document and compliantHTML.

    3. +

  3. Let sanitizer be the result of calling get a sanitizer instance from options + with options and false.

    4. + +

  4. Call sanitize on document with sanitizer and false.

    5. +

  5. Return document.

+ + +

Safe HTML parsing methods

+ +
+ +
+ +
+ + 
partial interface Element {
+};
+ +
+ +

HTML serialization methods

@@ -125555,6 +125587,80 @@ interface XMLSerializer { +

HTML sanitization

+ +

The Sanitizer interface

+ + 
[Exposed=Window]
+interface Sanitizer {
+  constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");
+
+  // Query configuration:
+  SanitizerConfig get();
+
+  // Modify a Sanitizer's lists and fields:
+  boolean allowElement(SanitizerElementWithAttributes element);
+  boolean removeElement(SanitizerElement element);
+  boolean replaceElementWithChildren(SanitizerElement element);
+  boolean allowAttribute(SanitizerAttribute attribute);
+  boolean removeAttribute(SanitizerAttribute attribute);
+  boolean setComments(boolean allow);
+  boolean setDataAttributes(boolean allow);
+
+  // Remove markup that executes script.
+  boolean removeUnsafe();
+};
+ + TODO + +

Sanitizer configuration

+ + 
dictionary SanitizerElementNamespace {
+  required DOMString name;
+  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
+};
+
+// Used by "elements"
+dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
+  sequence attributes;
+  sequence removeAttributes;
+};
+
+typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
+typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
+
+dictionary SanitizerAttributeNamespace {
+  required DOMString name;
+  DOMString? _namespace = null;
+};
+typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;
+
+dictionary SanitizerConfig {
+  sequence elements;
+  sequence removeElements;
+  sequence replaceWithChildrenElements;
+
+  sequence attributes;
+  sequence removeAttributes;
+
+  boolean comments;
+  boolean dataAttributes;
+};
+ + TODO + +
Configuration invariants
+ + TODO + +

Processing model

+ + TODO ("Algorithms" section) + +

Security consideration

+ + TODO +

Timers

The setTimeout() and Date: Thu, 9 Apr 2026 11:45:16 +0200 Subject: [PATCH 02/35] Fix build errors, update steps for setHTMLUnsafe --- source | 49 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/source b/source index a4749d246f9..d02bccd24a8 100644 --- a/source +++ b/source @@ -124895,7 +124895,7 @@ enum DOMParserSupportedType {

shadowRoot.setHTMLUnsafe(html)
+ data-x="dom-ShadowRoot-setHTMLUnsafe">setHTMLUnsafe(html, options)

Parses html using the HTML parser with options options, and replaces the children of @@ -124924,7 +124924,7 @@ enum DOMParserSupportedType {

Element's setHTMLUnsafe(html) method steps + data-x="dom-Element-setHTMLUnsafe">setHTMLUnsafe(html, options) method steps are:

    @@ -124937,14 +124937,14 @@ enum DOMParserSupportedType {

  1. Let target be this's template contents if this is a template element; otherwise this.

    2. -

  2. Unsafely set HTML given target, this, and - compliantHTML.

    3. +

  3. Set and filter HTML given target, this, + compliantHTML, options, and false.

ShadowRoot's setHTMLUnsafe(html) method steps + data-x="dom-ShadowRoot-setHTMLUnsafe">setHTMLUnsafe(html, options) method steps are:

    @@ -124954,8 +124954,8 @@ enum DOMParserSupportedType { object, html, "ShadowRoot setHTMLUnsafe", and "script".

    -

  1. Unsafely set HTML given this, this's shadow host, and compliantHTML.

    2. +

  2. Set and filter HTML given this, this's shadow host, compliantHTML, options, and false.

@@ -125022,6 +125022,21 @@ enum DOMParserSupportedType { + +

Safe HTML parsing methods

@@ -125030,8 +125045,8 @@ enum DOMParserSupportedType {
- 
partial interface Element {
-};
+
+
@@ -125587,7 +125602,7 @@ interface XMLSerializer { -

HTML sanitization

+

HTML sanitization

The Sanitizer interface

@@ -125622,8 +125637,8 @@ interface Sanitizer { // Used by "elements" dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace { - sequence attributes; - sequence removeAttributes; + sequence<SanitizerAttribute> attributes; + sequence<SanitizerAttribute> removeAttributes; }; typedef (DOMString or SanitizerElementNamespace) SanitizerElement; @@ -125636,12 +125651,12 @@ dictionary SanitizerAttributeNamespace { typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute; dictionary SanitizerConfig { - sequence elements; - sequence removeElements; - sequence replaceWithChildrenElements; + sequence<SanitizerElementWithAttributes> elements; + sequence<SanitizerElement> removeElements; + sequence<SanitizerElement> replaceWithChildrenElements; - sequence attributes; - sequence removeAttributes; + sequence<SanitizerAttribute> attributes; + sequence<SanitizerAttribute> removeAttributes; boolean comments; boolean dataAttributes; From 9a0a7b46f5a3e104964b971c68d21a8d58b2f600 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 13:59:58 +0100 Subject: [PATCH 03/35] upstream everything --- source | 2181 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 2130 insertions(+), 51 deletions(-) diff --git a/source b/source index d02bccd24a8..32b9a5a2679 100644 --- a/source +++ b/source @@ -124960,22 +124960,27 @@ enum DOMParserSupportedType {
-

To unsafely set HTML, given an Element or DocumentFragment - target, an Element contextElement, and a string - html:

+

Element's setHTML(html, options) method steps + are:

    -

  1. Let newChildren be the result of the HTML fragment parsing - algorithm given contextElement, html, and true.

    2. +

  2. Let target be this's template contents if + this is a template element; otherwise this.

    3. -

  3. Let fragment be a new DocumentFragment whose node - document is contextElement's node document.

    4. +

  4. Set and filter HTML given target, this, + html, options, and true.

    5. +
+
-

  • For each node in newChildren, append node to fragment.

    • +
    +

    ShadowRoot's setHTML(html, options) method steps + are:

    -

  • Replace all with fragment within - target.

    • +
      +

    1. Set and filter HTML given this, this's shadow host, html, options, and true.

    @@ -125018,29 +125023,61 @@ enum DOMParserSupportedType { - +
    +

    The static parseHTML(html, options) method steps + are:

    - +
      +
    1. +

      Let document be a new Document, whose content type is "text/html".

      + +

      Since document does not have a browsing context, scripting + is disabled.

      +
      2. + +

    2. Set document's allow declarative shadow roots to + true.

      3. + +

    3. Parse HTML from a string given document and + html.

      4. + +

    4. Let sanitizer be the result of calling get a sanitizer instance from + options with options and true.

      5. + +

    5. Call sanitize on document with sanitizer and + true.

      6. + +

    6. Return document.

      7. +
    +
    - + +

    Safe HTML parsing methods

    - +
    element.setHTML(html, options)
    +
    shadowRoot.setHTML(html, options)
    +
    +

    Parses html using the HTML parser with options options, and replaces + the children of the element or shadow root with the result, which is then sanitized.

    +
    + +
    doc = Document.parseHTML(html, options)
    +
    +

    Parses html using the HTML parser with options options, and returns a + new Document containing the result, which is then sanitized.

    +
    @@ -125604,6 +125641,62 @@ interface XMLSerializer {

    HTML sanitization

    + + +

    Web applications often need to work with strings of HTML on the client side, perhaps as part of + a client-side templating solution, or perhaps as part of rendering user-generated content. It is + difficult to do so in a safe way. The naive approach of joining strings together and stuffing + them into an element's innerHTML is fraught with risk, + as it can cause script execution in a number of unexpected ways.

    + +

    Libraries like DOMPurify attempt to manage this problem by carefully parsing and + sanitizing strings before insertion, by constructing a DOM and filtering its members through an + allow-list. This has proven to be a fragile approach, as the parsing APIs exposed to the web don't + always map in reasonable ways to the browser's behavior when actually rendering a string as HTML + in the "real" DOM. Moreover, the libraries need to keep on top of browsers' changing behavior over + time; things that once were safe may turn into time-bombs based on new platform-level + features.

    + +

    The browser has a fairly good idea of when it is going to execute code. We can improve upon + user-space libraries by teaching the browser how to render HTML from an arbitrary string in a + safe manner, and do so in a way that is much more likely to be maintained and updated along with + the browser's own changing parser implementation. The APIs in this section aim to do just + that.

    + +

    The goals of these APIs are:

    + +
      +

    • Mitigate the risk of DOM-based cross-site scripting attacks by providing developers with + mechanisms for handling user-controlled HTML which prevent direct script execution upon + injection.

      • + +

    • Make HTML output safe for use within the current user agent, taking into account its + current understanding of HTML.

      • + +

    • Allow developers to override the default set of elements and attributes. Adding certain + elements and attributes can prevent script gadget + attacks.

      • +
    + +

    These APIs offer functionality to parse a string containing HTML into a DOM tree, and to + filter the resulting tree according to a user-supplied configuration. The methods come in two + main flavors:

    + +
    +
    Safe and unsafe
    +

    The "safe" methods will not generate any markup that executes script. That is, they are + intended to be safe from XSS. The "unsafe" methods will parse and filter based on the provided + configuration, but do not have the same safety guarantees by default.

    + +
    Context
    +

    Methods are defined on Element and ShadowRoot and will replace + these node's children, and are largely analogous to innerHTML. There are also static methods on the + Document, which parse an entire document and are largely analogous to parseFromString().

    +
    +

    The Sanitizer interface

    [Exposed=Window]
@@ -125617,6 +125710,8 @@ interface Sanitizer {
   boolean allowElement(SanitizerElementWithAttributes element);
   boolean removeElement(SanitizerElement element);
   boolean replaceElementWithChildren(SanitizerElement element);
+  boolean allowProcessingInstruction(SanitizerPI pi);
+  boolean removeProcessingInstruction(SanitizerPI pi);
   boolean allowAttribute(SanitizerAttribute attribute);
   boolean removeAttribute(SanitizerAttribute attribute);
   boolean setComments(boolean allow);
@@ -125626,51 +125721,2035 @@ interface Sanitizer {
   boolean removeUnsafe();
 };
    - TODO +

    A Sanitizer has an associated configuration + (a SanitizerConfig).

    + +

    The new Sanitizer(configuration) + constructor steps are:

    + +
      +

    1. If configuration is a SanitizerPresets string, then:

      + +
        +

      1. Assert: configuration is + "default".

        2. + +

      2. Set configuration to the built-in safe default + configuration.

        3. +
      +
      2. + +

    2. If set a configuration configuration with true and + this is false, then throw a TypeError.

      3. +
    + +
    +

    The allowProcessingInstruction(pi) + method steps are:

    + +
      +

    1. Let configuration be this's configuration.

      2. + +

    2. Set pi to the result of canonicalize a sanitizer processing + instruction with pi.

      3. + +

    3. If configuration["processingInstructions"] exists, then:

      + +
        +

      1. If configuration["processingInstructions"] contains + pi, then return false.

        2. + +

      2. Append pi to configuration["processingInstructions"].

        3. + +

      3. Return true.

        4. +
      +
      4. + +

    4. Otherwise:

      + +
        +

      1. If configuration["removeProcessingInstructions"] contains + pi, then:

        + +
          +

        1. Remove the item from configuration["removeProcessingInstructions"] + whose target member is + pi's target member.

          2. + +

        2. Return true.

          3. +
        +
        2. + +

      2. Return false.

        3. +
      +
      5. +
    +
    + +
    +

    The removeProcessingInstruction(pi) + method steps are:

    + +
      +

    1. Let configuration be this's configuration.

      2. + +

    2. Set pi to the result of canonicalize a sanitizer processing + instruction with pi.

      3. + +

    3. If configuration["processingInstructions"] exists, then:

      + +
        +

      1. If configuration["processingInstructions"] contains + pi, then:

        + +
          +

        1. Remove the item from configuration["processingInstructions"] + whose target member is + pi's target member.

          2. + +

        2. Return true.

          3. +
        +
        2. + +

      2. Return false.

        3. +
      +
      4. + +

    4. Otherwise:

      + +
        +

      1. If configuration["removeProcessingInstructions"] contains + pi, then return false.

        2. + +

      2. Append pi to configuration["removeProcessingInstructions"].

        3. + +

      3. Return true.

        4. +
      +
      5. +
    +
    + +
    +

    To set a configuration, given a dictionary + configuration, a boolean allowCommentsPIsAndDataAttributes, and a + Sanitizer sanitizer:

    + +
      +

    1. Canonicalize the configuration configuration with + allowCommentsPIsAndDataAttributes.

      2. + +

    2. If configuration is not valid, then return false.

      3. + +

    3. Set sanitizer's configuration to configuration.

      4. + +

    4. Return true.

      5. +
    +
    + +
    +

    To canonicalize the configuration SanitizerConfig + configuration with a boolean allowCommentsPIsAndDataAttributes:

    + +
      +

    1. For each member of configuration that is a list of + strings:

      +
        +

      1. Replace each string in member with the result of canonicalizing it using the + appropriate algorithm (e.g., canonicalize a sanitizer element or + canonicalize a sanitizer attribute).

        2. +
      +
      2. + +

    2. If configuration["elements"] exists, then:

      +
        +

      1. For each element in configuration["elements"]:

        +
          +

        1. If element["attributes"] + exists, replace each attribute with the result of canonicalize a sanitizer + attribute.

          2. + +

        2. If element["removeAttributes"] + exists, replace each attribute with the result of canonicalize a sanitizer + attribute.

          3. +
        +
        2. +
      +
      3. + +

    3. If neither configuration["elements"] nor configuration["removeElements"] exists, then set + configuration["removeElements"] + to an empty list.

      4. + +

    4. If neither configuration["attributes"] nor configuration["removeAttributes"] exists, then + set configuration["removeAttributes"] to an empty list.

      5. + +

    5. If neither configuration["processingInstructions"] nor + configuration["removeProcessingInstructions"] + exists, then:

      +
        +

      1. If allowCommentsPIsAndDataAttributes is true, then set + configuration["removeProcessingInstructions"] + to an empty list.

        2. + +

      2. Otherwise, set configuration["processingInstructions"] to an empty + list.

        3. +
      +
      6. + +

    6. If configuration["comments"] does not exist, set it to + allowCommentsPIsAndDataAttributes.

      7. + +

    7. If configuration["dataAttributes"] does not exist, + set it to allowCommentsPIsAndDataAttributes.

      8. +
    +
    + +
    +

    In order to canonicalize a sanitizer element element, run the following + steps:

    + +
      +

    1. If element is a string, then return a new + SanitizerElementNamespace dictionary with its name member set to element and its + _namespace member set to the + HTML namespace.

      2. + +

    2. Return element.

      3. +
    +
    + +
    +

    In order to canonicalize a sanitizer attribute attribute, run the + following steps:

    + +
      +

    1. If attribute is a string, then return a new + SanitizerAttributeNamespace dictionary with its name member set to attribute and + its _namespace member set to + null.

      2. + +

    2. Return attribute.

      3. +
    +
    + +
    +

    In order to canonicalize a sanitizer processing instruction pi, run the following steps:

    + +
      +

    1. If pi is a string, then set pi to a new + SanitizerProcessingInstruction dictionary with its target member set to + pi.

      2. + +

    2. Return pi.

      3. +
    +

    Sanitizer configuration

    - 
    dictionary SanitizerElementNamespace {
-  required DOMString name;
-  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
+  
    dictionary SanitizerElementNamespace {
+  required DOMString name;
+  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
 };
 
 // Used by "elements"
-dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
-  sequence<SanitizerAttribute> attributes;
-  sequence<SanitizerAttribute> removeAttributes;
+dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
+  sequence<SanitizerAttribute> attributes;
+  sequence<SanitizerAttribute> removeAttributes;
+};
+
+typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
+typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
+
+dictionary SanitizerProcessingInstruction {
+  required DOMString target;
 };
 
-typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
-typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
+typedef (DOMString or SanitizerProcessingInstruction) SanitizerPI;
 
-dictionary SanitizerAttributeNamespace {
-  required DOMString name;
-  DOMString? _namespace = null;
+dictionary SanitizerAttributeNamespace {
+  required DOMString name;
+  DOMString? _namespace = null;
 };
-typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;
+typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;
 
-dictionary SanitizerConfig {
-  sequence<SanitizerElementWithAttributes> elements;
-  sequence<SanitizerElement> removeElements;
-  sequence<SanitizerElement> replaceWithChildrenElements;
+dictionary SanitizerConfig {
+  sequence<SanitizerElementWithAttributes> elements;
+  sequence<SanitizerElement> removeElements;
+  sequence<SanitizerElement> replaceWithChildrenElements;
 
-  sequence<SanitizerAttribute> attributes;
-  sequence<SanitizerAttribute> removeAttributes;
+  sequence<SanitizerPI> processingInstructions;
+  sequence<SanitizerPI> removeProcessingInstructions;
 
-  boolean comments;
-  boolean dataAttributes;
+  sequence<SanitizerAttribute> attributes;
+  sequence<SanitizerAttribute> removeAttributes;
+
+  boolean comments;
+  boolean dataAttributes;
 };
    
 
   TODO
 
   
    Configuration invariants
    
 
-  TODO
+  
    Configurations can and ought to be modified by developers to suit their purposes. Options are to
+  write a new SanitizerConfig dictionary from scratch, to modify an existing
+  Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's configuration
+  as a dictionary and modify the dictionary and then create a new Sanitizer with it.
    
 
-  
    Processing model
    
+  
    An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "default" contains a built-in safe default
+  configuration. Note that "safe" and "unsafe" sanitizer methods have different defaults.
    
+
+  
    Not all configuration dictionaries are valid. A valid configuration avoids redundancy (like
+  specifying the same element to be allowed twice) and contradictions (like specifying an element
+  to be both removed and allowed.)
    
+
+  
    Several conditions need to hold for a configuration to be valid:
    
+
+  
      
+   
    • Mixing global allow- and remove-lists:
      
+    
        
+     
      • elements or removeElements can exist, but not both. If
+     both are missing, this is equivalent to removeElements being an empty list.
        • 
+
+     
      • attributes or removeAttributes can exist, but not both.
+     If both are missing, this is equivalent to removeAttributes being an empty
+     list.
        • 
+
+     
      • dataAttributes is conceptually
+     an extension of the attributes allow-list.
+     The dataAttributes member is only
+     allowed when an attributes list is
+     used.
        • 
+    
      
+   
      • 
+
+   
    • Duplicate entries between different global lists:
      
+    
        
+     
      • There are no duplicate entries (i.e., no same elements) between elements, removeElements, or replaceWithChildrenElements.
        • 
+
+     
      • There are no duplicate entries (i.e., no same attributes) between attributes or removeAttributes.
        • 
+    
      
+   
      • 
+
+   
    • Mixing local allow- and remove-lists on the same element:
      
+    
        
+     
      • When an attributes list exists,
+     both, either or none of the attributes and removeAttributes
+     lists are allowed on the same element.
        • 
+
+     
      • When a removeAttributes list
+     exists, either or none of the attributes and removeAttributes
+     lists are allowed on the same element, but not both.
        • 
+    
      
+   
      • 
 
-  TODO ("Algorithms" section)
+   
    • Duplicate entries on the same element:
      
+    
        
+     
      • There are no duplicate entries between attributes and removeAttributes
+     on the same element.
        • 
+    
      
+   
      • 
+
+   
    • No element from the built-in non-replaceable elements list appears in replaceWithChildrenElements,
+   since replacing these elements with their children could lead to re-parsing issues or invalid
+   node trees.
      • 
+  
    
+
+  
    The elements element allow-list can also
+  specify allowing or removing attributes for a given element. This is meant to mirror this
+  standard's structure, which knows both global attributes as well as local attributes
+  that apply to a specific element. Global and local attributes can be mixed, but note that
+  ambiguous configurations where a particular attribute would be allowed by one list and forbidden
+  by another, are generally invalid.
    
+
+  
+   
+    
+     
+     
+     
+    
+   
+   
+    
+     
+     
+     
+    
+    
+     
+     
+     
+    
+   
+  
    global attributesglobal removeAttributes
    local attributesAn attribute is allowed if it matches either list. No duplicates are allowed.An attribute is only allowed if it's in the local allow list. No duplicate entries between
+     global remove and local allow lists are allowed. Note that the global remove list has no
+     function for this particular element, but may well apply to other elements that do not have a
+     local allow list.
    local removeAttributesAn attribute is allowed if it's in the global allow-list, but not in the local remove-list.
+     Local remove must be a subset of the global allow lists.An attribute is allowed if it is in neither list. No duplicate entries between global
+     remove and local remove lists are allowed.
    
+
+  
    Please note the asymmetry where mostly no duplicates between global and per-element lists are
+  permitted, but in the case of a global allow-list and a per-element remove-list the latter must be
+  a subset of the former. An excerpt of the table above, only focusing on duplicates, is as
+  follows:
    
+
+  
+   
+    
+     
+     
+     
+    
+   
+   
+    
+     
+     
+     
+    
+    
+     
+     
+     
+    
+   
+  
    global attributesglobal removeAttributes
    local attributesNo duplicates are allowed.No duplicates are allowed.
    local removeAttributesLocal remove must be a subset of the global allow lists.No duplicates are allowed.
    
+
+  
    The dataAttributes setting allows custom data attributes. The rules above easily extends to
+  custom data attributes if one considers dataAttributes to be an allow-list:
    
+
+  
+   
+    
+     
+     
+    
+   
+   
+    
+     
+     
+    
+    
+     
+     
+    
+   
+  
    global attributes and dataAttributes set
    local attributesAll custom data attributes are allowed. No
+     custom data attributes may be listed in any
+     allow-list, as that would mean a duplicate entry.
    local removeAttributesA custom data attribute is allowed, unless it's
+     listed in the local remove-list. No custom data
+     attribute may be listed in the global allow-list, as that would mean a duplicate
+     entry.
    
+
+  
    Putting these rules in words:
    
+
+  
      
+   
    • Duplicates and interactions between global and local lists:
      
+    
        
+     
      • If a global attributes allow list
+     exists, then all element's local lists:
        
+      
          
+       
        • If a local attributes allow list
+       exists, there may be no duplicate entries between these lists.
          • 
+
+       
        • If a local removeAttributes
+       remove list exists, then all its entries must also be listed in the global attributes allow list.
          • 
+
+       
        • If dataAttributes is true,
+       then no custom data attributes may be listed in
+       any of the allow-lists.
          • 
+      
        
+     
        • 
+
+     
      • If a global removeAttributes
+     remove list exists, then:
        
+      
          
+       
        • If a local attributes allow list
+       exists, there may be no duplicate entries between these lists.
          • 
+
+       
        • If a local removeAttributes
+       remove list exists, there may be no duplicate entries between these lists.
          • 
+
+       
        • Not both a local attributes allow list
+       and local removeAttributes
+       remove list exists.
          • 
+
+       
        • dataAttributes must be
+       false.
          • 
+      
        
+     
        • 
+    
      
+   
      • 
+  
    
+
+  
    Processing model
    
+
+  
+
+  
    
+  
    The get() method steps
+  are:
    
+
+  
    Outside of the get() method, the order of
+  the Sanitizer's elements and attributes is unobservable. By explicitly sorting the
+  result of this method, we give implementations the opportunity to optimize by, for example, using
+  unordered sets internally.
    
+
+  
      
+   
    1. Let config be this's configuration.
      2. 
+
+   
    2. Assert: config is valid.
      3. 
+
+   
    3. If config["elements"]
+   exists, then:
      
+
+    
        
+     
      1. For any element of config["elements"]:
        
+
+      
          
+       
        1. If element["attributes"]
+       exists, then set element["attributes"] to the
+       result of sort in ascending order element["attributes"], with
+       attrA being less than item attrB.
          2. 
+
+       
        2. If element["removeAttributes"]
+       exists, then set element["removeAttributes"]
+       to the result of sort in ascending order element["removeAttributes"],
+       with attrA being less than item attrB.
          3. 
+      
        
+     
        2. 
+
+     
      2. Set config["elements"] to
+     the result of sort in ascending order config["elements"], with elementA being
+     less than item elementB.
        3. 
+    
      
+   
      4. 
+
+   
    4. Otherwise:
      
+    
        
+     
      1. Set config["removeElements"] to the result of sort
+     in ascending order config["removeElements"], with
+     elementA being less than item elementB.
        2. 
+    
      
+   
      5. 
+
+   
    5. If config["replaceWithChildrenElements"]
+   exists, then set config["replaceWithChildrenElements"] to
+   the result of sort in ascending order config["replaceWithChildrenElements"],
+   with elementA being less than item elementB.
      6. 
+
+   
    6. If config["processingInstructions"]
+   exists, then set config["processingInstructions"] to the result
+   of sort in ascending order config["processingInstructions"], with
+   piA["target"] being
+   ASCII code unit less than piB["target"].
      7. 
+
+   
    7. Otherwise:
      
+    
        
+     
      1. Set config["removeProcessingInstructions"]
+     to the result of sort in ascending order config["removeProcessingInstructions"],
+     with piA["target"] being ASCII code unit
+     less than piB["target"].
        2. 
+    
      
+   
      8. 
+
+   
    8. If config["attributes"]
+   exists, then set config["attributes"] to the result of sort in
+   ascending order config["attributes"], with attrA being
+   less than item attrB.
      9. 
+
+   
    9. Otherwise:
      
+    
        
+     
      1. Set config["removeAttributes"] to the result of
+     sort in ascending order config["removeAttributes"], with
+     attrA being less than item attrB.
        2. 
+    
      
+   
      10. 
+
+   
    10. Return config.
      11. 
+  
    
+  
    
+
+  
    
+  
    An item itemA is less than item itemB if:
    
+
+  
      
+   
    1. If itemA's namespace member is null, then:
      
+    
        
+     
      1. If itemB's namespace member is not null, then return
+     true.
        2. 
+    
      
+   
      2. 
+
+   
    2. Otherwise:
      
+    
        
+     
      1. If itemB's namespace member is null, then return
+     false.
        2. 
+
+     
      2. If itemA's namespace member is ASCII code unit less
+     than itemB's namespace member, then return true.
        3. 
+
+     
      3. If itemA's namespace member is not equal to itemB's
+     namespace member, then return false.
        4. 
+    
      
+   
      3. 
+
+   
    3. Return itemA's name member is ASCII code unit less
+   than itemB's name member.
      4. 
+  
    
+  
    
+
+  
    
+  
    The allowElement(element) method steps
+  are:
    
+
+  
      
+   
    1. Let configuration be this's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. Set element to the result of canonicalize a sanitizer element with
+   attributes with element.
      4. 
+
+   
    4. If configuration["elements"] exists, then:
      
+
+    
        
+     
      1. Let modified be the result of SanitizerConfig/remove
+     element from configuration["replaceWithChildrenElements"].
        2. 
+
+     
      2. If configuration["attributes"] exists, then:
        
+
+      
          
+       
        1. If element["attributes"]
+       exists, then:
          
+
+        
            
+         
          1. Set element["attributes"] to the
+         result of remove duplicates from element["attributes"].
            2. 
+
+         
          2. Set element["attributes"] to the
+         set/difference of element["attributes"] and
+         configuration["attributes"].
            3. 
+
+         
          3. If configuration["dataAttributes"] is true, then
+         remove all items item from element["attributes"] where
+         item is a custom data attribute.
            4. 
+        
          
+       
          2. 
+
+       
        2. If element["removeAttributes"]
+       exists, then:
          
+
+        
            
+         
          1. Set element["removeAttributes"]
+         to the result of remove duplicates from element["removeAttributes"].
            2. 
+
+         
          2. Set element["removeAttributes"]
+         to the intersection of element["removeAttributes"]
+         and configuration["attributes"].
            3. 
+        
          
+       
          3. 
+      
        
+     
        3. 
+
+     
      3. Otherwise:
        
+
+      
          
+       
        1. If element["attributes"]
+       exists, then:
          
+
+        
            
+         
          1. Set element["attributes"] to the
+         result of remove duplicates from element["attributes"].
            2. 
+
+         
          2. Set element["attributes"] to the
+         set/difference of element["attributes"] and
+         element["removeAttributes"]
+         (or an empty list if it does not exist).
            3. 
+
+         
          3. Remove element["removeAttributes"].
            4. 
+
+         
          4. Set element["attributes"] to the
+         set/difference of element["attributes"] and
+         configuration["removeAttributes"].
            5. 
+        
          
+       
          2. 
+
+       
        2. If element["removeAttributes"]
+       exists, then:
          
+
+        
            
+         
          1. Set element["removeAttributes"]
+         to the result of remove duplicates from element["removeAttributes"].
            2. 
+
+         
          2. Set element["removeAttributes"]
+         to the set/difference of element["removeAttributes"]
+         and configuration["removeAttributes"].
            3. 
+        
          
+       
          3. 
+      
        
+     
        4. 
+
+     
      4. If configuration["elements"] does not contain
+     element, then:
        
+
+      
          
+       
        1. Append element to configuration["elements"].
          2. 
+
+       
        2. Return true.
          3. 
+      
        
+     
        5. 
+
+     
      5. Let current element be the item in configuration["elements"] whose name member is element's name member and whose _namespace member is
+     element's _namespace member.
        6. 
+
+     
      6. If element is equal to current element, then return
+     modified.
        7. 
+
+     
      7. SanitizerConfig/remove element from
+     configuration["elements"].
        8. 
+
+     
      8. Append element to configuration["elements"].
        9. 
+
+     
      9. Return true.
        10. 
+    
      
+   
      5. 
+
+   
    5. Otherwise:
      
+
+    
        
+     
      1. If element["attributes"]
+     exists or element["removeAttributes"]
+     (or an empty list if it does not exist) is not empty, then return false.
        2. 
+
+     
      2. Let modified be the result of SanitizerConfig/remove
+     element from configuration["replaceWithChildrenElements"].
        3. 
+
+     
      3. If configuration["removeElements"] does not
+     contain element, then return modified.
        4. 
+
+     
      4. SanitizerConfig/remove element from
+     configuration["removeElements"].
        5. 
+
+     
      5. Return true.
        6. 
+    
      
+   
      6. 
+  
    
+  
    
+
+  
    
+  
    The removeElement(element) method steps
+  are to return the result of remove an element with element and
+  this's configuration.
    
+  
    
+
+  
    
+  
    The replaceElementWithChildren(element)
+  method steps are:
    
+
+  
      
+   
    1. Let configuration be this's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. Set element to the result of canonicalize a sanitizer
+   element with element.
      4. 
+
+   
    4. If the built-in non-replaceable elements list contains
+   element, then return false.
      5. 
+
+   
    5. Let modified be the result of SanitizerConfig/remove
+   element from configuration["elements"].
      6. 
+
+   
    6. If SanitizerConfig/remove element from
+   configuration["removeElements"] is true, then set
+   modified to true.
      7. 
+
+   
    7. If configuration["replaceWithChildrenElements"]
+   does not contain element, then:
      
+
+    
        
+     
      1. Append element to configuration["replaceWithChildrenElements"].
        2. 
+
+     
      2. Return true.
        3. 
+    
      
+   
      8. 
+
+   
    8. Return modified.
      9. 
+  
    
+  
    
+
+  
    
+  
    The allowAttribute(attribute) method
+  steps are:
    
+
+  
      
+   
    1. Let configuration be this's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. Set attribute to the result of canonicalize a sanitizer
+   attribute with attribute.
      4. 
+
+   
    4. If configuration["attributes"] exists, then:
      
+
+    
        
+     
      1. If configuration["dataAttributes"] is true and
+     attribute is a custom data attribute, then return false.
        2. 
+
+     
      2. If configuration["attributes"] contains
+     attribute, then return false.
        3. 
+
+     
      3. If configuration["elements"] exists, then:
        
+
+      
          
+       
        1. For each element in configuration["elements"]:
          
+
+        
            
+         
          1. If element["attributes"] (or an
+         empty list if it does not exist) contains attribute, then
+         remove attribute from element["attributes"].
            2. 
+        
          
+       
          2. 
+      
        
+     
        4. 
+
+     
      4. Append attribute to configuration["attributes"].
        5. 
+
+     
      5. Return true.
        6. 
+    
      
+   
      5. 
+
+   
    5. Otherwise:
      
+
+    
        
+     
      1. If configuration["removeAttributes"] does not
+     contain attribute, then return false.
        2. 
+
+     
      2. SanitizerConfig/remove attribute from
+     configuration["removeAttributes"].
        3. 
+
+     
      3. Return true.
        4. 
+    
      
+   
      6. 
+  
    
+  
    
+
+  
    
+  
    The removeAttribute(attribute) method
+  steps are to return the result of remove an attribute with attribute and
+  this's configuration.
    
+  
    
+
+  
    
+  
    The setComments(allow) method steps
+  are:
    
+
+  
      
+   
    1. Let configuration be this's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. If configuration["comments"] exists and is equal to
+   allow, then return false.
      4. 
+
+   
    4. Set configuration["comments"] to allow.
      5. 
+
+   
    5. Return true.
      6. 
+  
    
+  
    
+
+  
    
+  
    The setDataAttributes(allow) method
+  steps are:
    
+
+  
      
+   
    1. Let configuration be this's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. If configuration["dataAttributes"] exists and is
+   equal to allow, then return false.
      4. 
+
+   
    4. If allow is false and configuration["attributes"] exists, then:
      
+
+    
        
+     
      1. For each element in configuration["elements"] (or an empty list if it does not
+     exist):
        
+
+      
          
+       
        1. Remove all items item from element["attributes"] (or an
+       empty list if it does not exist) where item is a custom data
+       attribute.
          2. 
+      
        
+     
        2. 
+
+     
      2. Remove all items item from configuration["attributes"] where item is a
+     custom data attribute.
        3. 
+    
      
+   
      5. 
+
+   
    5. Set configuration["dataAttributes"] to allow.
      6. 
+
+   
    6. Return true.
      7. 
+  
    
+  
    
+
+  
    
+  
    The removeUnsafe() method steps are to update
+  this's configuration with the result of remove unsafe
+  from this's configuration.
    
+  
    
+
+  
    Sanitization algorithms
    
+
+  
    
+  
    To set and filter HTML, given an Element or
+  DocumentFragment target, an Element
+  contextElement, a string html, a dictionary
+  options, and a boolean safe:
    
+
+  
      
+   
    1. If safe is true, contextElement's local name is
+   "script", and contextElement's namespace is the
+   HTML namespace or the SVG namespace, then return.
      2. 
+
+   
    2. Let sanitizer be the result of calling get a sanitizer instance from
+   options with options and safe.
      3. 
+
+   
    3. Let newChildren be the result of the HTML fragment parsing
+   algorithm given contextElement, html, and true.
      4. 
+
+   
    4. Let fragment be a new DocumentFragment whose node
+   document is contextElement's node document.
      5. 
+
+   
    5. For each node in newChildren, append node to fragment.
      6. 
+
+   
    6. Call sanitize on fragment with sanitizer and
+   safe.
      7. 
+
+   
    7. Replace all with fragment within
+   target.
      8. 
+  
    
+  
    
+
+  
    
+  
    To get a sanitizer instance from options from a dictionary
+  options with a boolean safe:
    
+
+  
      
+   
    1. Let sanitizerSpec be "default".
      2. 
+
+   
    2. If options["sanitizer"] exists, then set
+   sanitizerSpec to options["sanitizer"].
      3. 
+
+   
    3. Assert: sanitizerSpec is either a Sanitizer instance,
+   a SanitizerPresets member, or a SanitizerConfig dictionary.
      4. 
+
+   
    4. If sanitizerSpec is a string, then:
      
+
+    
        
+     
      1. Assert: sanitizerSpec is "default".
        2. 
+
+     
      2. Set sanitizerSpec to the built-in safe default
+     configuration.
        3. 
+    
      
+   
      5. 
+
+   
    5. If sanitizerSpec is a dictionary, then:
      
+
+    
        
+     
      1. Let sanitizer be a new Sanitizer instance.
        2. 
+
+     
      2. If set a configuration sanitizerSpec with
+     (not safe) and sanitizer is false, then throw a
+     TypeError.
        3. 
+
+     
      3. Set sanitizerSpec to sanitizer.
        4. 
+    
      
+   
      6. 
+
+   
    6. Return sanitizerSpec.
      7. 
+  
    
+  
    
+
+  
    
+  
    To sanitize a ParentNode node with a
+  Sanitizer sanitizer and a boolean safe:
    
+
+  
      
+   
    1. Let configuration be sanitizer's configuration.
      2. 
+
+   
    2. Assert: configuration is valid.
      3. 
+
+   
    3. If safe is true, then set configuration to the result of calling
+   remove unsafe on configuration.
      4. 
+
+   
    4. Call sanitize core on node, configuration, and with
+   handleJavascriptNavigationUrls set to safe.
      5. 
+  
    
+  
    
+
+  
    
+  
    The sanitize core operation, using a ParentNode node, a
+  SanitizerConfig configuration, and a boolean
+  handleJavascriptNavigationUrls, recurses over the DOM tree beginning with
+  node. It consists of these steps:
    
+
+  
      
+   
    1. For each child of node's children:
      
+
+    
        
+     
      1. Assert: child is a Text, Comment,
+     Element, ProcessingInstruction, or DocumentType
+     node.
        2. 
+
+     
      2. If child is a DocumentType node, then
+     continue.
        3. 
+
+     
      3. If child is a Text node, then continue.
        4. 
+
+     
      4. If child is a Comment node, then:
        
+
+      
          
+       
        1. If configuration["comments"] is not true, then
+       remove child.
          2. 
+      
        
+     
        5. 
+
+     
      5. If child is a ProcessingInstruction node, then:
        
+
+      
          
+       
        1. Let piTarget be child's target.
          2. 
+
+       
        2. If configuration["processingInstructions"]
+       exists, then:
          
+
+        
            
+         
          1. If configuration["processingInstructions"] does not
+         contain piTarget, then remove child.
            2. 
+        
          
+       
          3. 
+
+       
        3. Otherwise:
          
+        
            
+         
          1. If configuration["removeProcessingInstructions"]
+         contains piTarget, then remove
+         child.
            2. 
+        
          
+       
          4. 
+      
        
+     
        6. 
+
+     
      6. Otherwise:
        
+      
          
+       
        1. Let elementName be a SanitizerElementNamespace with
+       child's local name and namespace.
          2. 
+
+       
        2. If configuration["replaceWithChildrenElements"]
+       exists and configuration["replaceWithChildrenElements"]
+       contains elementName, then:
          
+
+        
            
+         
          1. Assert: node is not a Document.
            2. 
+
+         
          2. Call sanitize core on child with configuration
+         and handleJavascriptNavigationUrls.
            3. 
+
+         
          3. Replace all with child's children within
+         child.
            4. 
+
+         
          4. Continue.
            5. 
+        
          
+       
          3. 
+
+       
        3. If configuration["elements"] exists, then:
          
+
+        
            
+         
          1. If configuration["elements"] does not contain
+         elementName, then remove child and
+         continue.
            2. 
+        
          
+       
          4. 
+
+       
        4. Otherwise:
          
+        
            
+         
          1. If configuration["removeElements"] contains
+         elementName, then remove child and
+         continue.
            2. 
+        
          
+       
          5. 
+
+       
        5. If elementName is a template element in the HTML
+       namespace, then call sanitize core on child's template
+       contents with configuration and
+       handleJavascriptNavigationUrls.
          6. 
+
+       
        6. If child is a shadow host, then call sanitize
+       core on child's shadow root with configuration and
+       handleJavascriptNavigationUrls.
          7. 
+
+       
        7. Let elementWithLocalAttributes be null.
          8. 
+
+       
        8. If configuration["elements"] exists and
+       configuration["elements"] contains
+       elementName, then set elementWithLocalAttributes to
+       configuration["elements"][elementName].
          9. 
+
+       
        9. For each attribute in child's attribute
+       list:
          
+
+        
            
+         
          1. Let attrName be a SanitizerAttributeNamespace with
+         attribute's local name and namespace.
            2. 
+
+         
          2. If elementWithLocalAttributes["removeAttributes"]
+         exists and elementWithLocalAttributes["removeAttributes"]
+         contains attrName, then remove an attribute
+         attribute.
            3. 
+
+         
          3. Otherwise, if configuration["attributes"] exists, then:
            
+
+          
              
+           
            1. If configuration["attributes"] does not contain
+           attrName and elementWithLocalAttributes["attributes"]
+           does not contain attrName, and if "data-" is not a prefix of attribute's local
+           name or attribute's namespace is not null or
+           configuration["dataAttributes"]
+           is not true, then remove an attribute attribute.
              2. 
+          
            
+         
            4. 
+
+         
          4. Otherwise:
            
+          
              
+           
            1. If elementWithLocalAttributes["attributes"]
+           exists and elementWithLocalAttributes["attributes"]
+           does not contain attrName, then remove an
+           attribute attribute.
              2. 
+
+           
            2. Otherwise, if configuration["removeAttributes"]
+           contains attrName, then remove an attribute
+           attribute.
              3. 
+          
            
+         
            5. 
+
+         
          5. If handleJavascriptNavigationUrls is true, then:
            
+          
              
+           
            1. If the pair (elementName, attrName) matches an entry in
+           the built-in navigating URL attributes list, and if attribute
+           contains a javascript: URL, then remove an attribute
+           attribute.
              2. 
+
+           
            2. If child's namespace is the MathML
+           Namespace, attribute's local name is "href", and attribute's namespace is null or
+           the XLink namespace, and attribute contains a
+           javascript: URL, then remove an attribute
+           attribute.
              3. 
+
+           
            3. If the built-in animating URL attributes list contains
+           the pair (elementName, attrName), and attribute's
+           value is "href" or "xlink:href", then remove an attribute
+           attribute.
              4. 
+          
            
+         
            6. 
+        
          
+       
          10. 
+
+       
        10. Call sanitize core on child with configuration
+       and handleJavascriptNavigationUrls.
          11. 
+      
        
+     
        7. 
+    
      
+   
      2. 
+  
    
+  
    
+
+  
    
+  
    To determine whether an attribute attribute contains a javascript:
+  URL:
    
+
+  
      
+   
    1. Let url be the result of running the basic URL parser on
+   attribute's value.
      2. 
+
+   
    2. If url is failure, then return false.
      3. 
+
+   
    3. Return whether url's scheme is "javascript".
      4. 
+  
    
+  
    
+
+  
    Sanitization constants
    
+
+  
    The built-in safe baseline configuration is a SanitizerConfig whose
+  members are as follows:
    
+
+  
    
+   
    removeElements
    
+   
    
+    
    A list of SanitizerElementNamespace dictionaries:
    
+    
      
+     
    • { name: "embed", _namespace: HTML namespace }
      • 
+     
    • { name: "frame", _namespace: HTML namespace }
      • 
+     
    • { name: "iframe", _namespace: HTML namespace }
      • 
+     
    • { name: "object", _namespace: HTML namespace }
      • 
+     
    • { name: "script", _namespace: HTML namespace }
      • 
+     
    • { name: "script", _namespace: SVG namespace }
      • 
+     
    • { name: "use", _namespace: SVG namespace }
      • 
+    
    
+   
    
+
+   
    removeAttributes
    
+   
    An empty list.
    
+  
    
+
+  
    The remove unsafe algorithm additionally removes all event
+  handler content attributes, which are not listed in the baseline configuration above.
    
+
+  
    The built-in safe default configuration is a SanitizerConfig whose
+  members are as follows:
    
+
+  
    
+   
    elements
    
+   
    A list of SanitizerElementWithAttributes dictionaries, representing a safe subset of HTML, SVG, and MathML elements.
    
+
+   
    attributes
    
+   
    A list of SanitizerAttributeNamespace dictionaries, representing a safe subset of HTML, SVG, and MathML attributes.
    
+
+   
    comments
    
+   
    true
    
+  
    
+
+  
    The exact contents of the built-in safe default configuration are
+  intended to be a conservative subset of the web platform that is known to be safe. It is
+  subject to change as the platform evolves.
    
+
+  
    The navigating URL attributes list is a list of pairs of a
+  SanitizerElementNamespace and a SanitizerAttributeNamespace:
    
+
+  
      
+   
    • ({ name: "a", _namespace: HTML namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "area", _namespace: HTML namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "form", _namespace: HTML namespace }, { name: "action", _namespace: null })
      • 
+   
    • ({ name: "input", _namespace: HTML namespace }, { name: "formaction", _namespace: null })
      • 
+   
    • ({ name: "button", _namespace: HTML namespace }, { name: "formaction", _namespace: null })
      • 
+  
    
+
+  
    The animating URL attributes list is a list of pairs of a
+  SanitizerElementNamespace and a SanitizerAttributeNamespace:
    
+
+  
      
+   
    • ({ name: "animate", _namespace: SVG namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "animate", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })
      • 
+   
    • ({ name: "animateMotion", _namespace: SVG namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "animateMotion", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })
      • 
+   
    • ({ name: "animateTransform", _namespace: SVG namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "animateTransform", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })
      • 
+   
    • ({ name: "set", _namespace: SVG namespace }, { name: "href", _namespace: null })
      • 
+   
    • ({ name: "set", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })
      • 
+  
    
+
+  
    The built-in non-replaceable elements list is a list of
+  SanitizerElementNamespace dictionaries:
    
+
+  
      
+   
    • { name: "html", _namespace: HTML namespace }
      • 
+   
    • { name: "head", _namespace: HTML namespace }
      • 
+   
    • { name: "body", _namespace: HTML namespace }
      • 
+  
    
+
+  
    
+  
    To remove an element element from a SanitizerConfig
+  configuration:
    
+
+  
      
+   
    1. Assert: configuration is valid.
      2. 
+
+   
    2. Set element to the result of canonicalize a sanitizer
+   element with element.
      3. 
+
+   
    3. Let modified be the result of SanitizerConfig/remove
+   element from configuration["replaceWithChildrenElements"].
      4. 
+
+   
    4. If configuration["elements"] exists, then:
      
+
+    
        
+     
      1. If configuration["elements"] contains
+     element, then:
        
+
+      
          
+       
        1. SanitizerConfig/remove element from
+       configuration["elements"].
          2. 
+
+       
        2. Return true.
          3. 
+      
        
+     
        2. 
+
+     
      2. Return modified.
        3. 
+    
      
+   
      5. 
+
+   
    5. Otherwise:
      
+
+    
        
+     
      1. If configuration["removeElements"] contains
+     element, then return modified.
        2. 
+
+     
      2. Append element to configuration["removeElements"].
        3. 
+
+     
      3. Return true.
        4. 
+    
      
+   
      6. 
+  
    
+  
    
+
+  
    
+  
    To remove an attribute attribute from a SanitizerConfig
+  configuration:
    
+
+  
      
+   
    1. Assert: configuration is valid.
      2. 
+
+   
    2. Set attribute to the result of canonicalize a sanitizer
+   attribute with attribute.
      3. 
+
+   
    3. If configuration["attributes"] exists, then:
      
+
+    
        
+     
      1. Let modified be the result of SanitizerConfig/remove
+     attribute from configuration["attributes"].
        2. 
+
+     
      2. If configuration["elements"] exists, then:
        
+
+      
          
+       
        1. For each element of configuration["elements"]:
          
+
+        
            
+         
          1. If element["attributes"] (or an
+         empty list if it does not exist) contains attribute, then:
            
+
+          
              
+           
            1. Set modified to true.
              2. 
+
+           
            2. Remove attribute from element["attributes"].
              3. 
+          
            
+         
            2. 
+
+         
          2. If element["removeAttributes"]
+         (or an empty list if it does not exist) contains attribute,
+         then:
            
+
+          
              
+           
            1. Assert: modified is true.
              2. 
+
+           
            2. Remove attribute from element["removeAttributes"].
              3. 
+          
            
+         
            3. 
+        
          
+       
          2. 
+      
        
+     
        3. 
+
+     
      3. Return modified.
        4. 
+    
      
+   
      4. 
+
+   
    4. Otherwise:
      
+
+    
        
+     
      1. If configuration["removeAttributes"] contains
+     attribute, then return false.
        2. 
+
+     
      2. If configuration["elements"] exists, then:
        
+
+      
          
+       
        1. For each element in configuration["elements"]:
          
+
+        
            
+         
          1. If element["attributes"] (or an
+         empty list if it does not exist) contains attribute, then
+         remove attribute from element["attributes"].
            2. 
+
+         
          2. If element["removeAttributes"]
+         (or an empty list if it does not exist) contains attribute,
+         then remove attribute from element["removeAttributes"].
            3. 
+        
          
+       
          2. 
+      
        
+     
        3. 
+
+     
      3. Append attribute to configuration["removeAttributes"].
        4. 
+
+     
      4. Return true.
        5. 
+    
      
+   
      5. 
+  
    
+  
    
+
+  
    
+  
    To remove unsafe from a SanitizerConfig configuration:
    
+
+  
      
+   
    1. Assert: configuration is valid.
      2. 
+
+   
    2. Let result be false.
      3. 
+
+   
    3. For each element in built-in safe baseline
+   configuration["removeElements"]:
      
+
+    
        
+     
      1. If remove an element element from configuration is
+     true, then set result to true.
        2. 
+    
      
+   
      4. 
+
+   
    4. For each attribute in built-in safe baseline
+   configuration["removeAttributes"]:
      
+
+    
        
+     
      1. If remove an attribute attribute from configuration
+     is true, then set result to true.
        2. 
+    
      
+   
      5. 
+
+   
    5. For each attribute that is an event handler content
+   attribute:
      
+
+    
        
+     
      1. If remove an attribute attribute from configuration
+     is true, then set result to true.
        2. 
+    
      
+   
      6. 
+
+   
    6. Return result.
      7. 
+  
    
+  
    
+
+  
    
+  
    To SanitizerConfig/remove an item from a list list:
    
+
+  
      
+   
    1. Let removed be false.
      2. 
+
+   
    2. For each entry of list:
      
+
+    
        
+     
      1. If item's name
+     member is equal to entry's name member and item's _namespace member is equal to
+     entry's _namespace
+     member, then:
        
+
+      
          
+       
        1. Remove entry from list.
          2. 
+
+       
        2. Set removed to true.
          3. 
+      
        
+     
        2. 
+    
      
+   
      3. 
+
+   
    3. Return removed.
      4. 
+  
    
+  
    
+
+  
    
+  
    To SanitizerConfig/add a name to a list list:
    
+
+  
      
+   
    1. If list contains name, then return.
      2. 
+
+   
    2. Append name to list.
      3. 
+  
    
+  
    
+
+  
    
+  
    To canonicalize a sanitizer element with attributes a
+  SanitizerElementWithAttributes element:
    
+
+  
      
+   
    1. Let result be the result of canonicalize a sanitizer
+   element with element.
      2. 
+
+   
    2. If element is a dictionary, then:
      
+
+    
        
+     
      1. If element["attributes"]
+     exists, then:
        
+
+      
          
+       
        1. Let attributes be an empty list.
          2. 
+
+       
        2. For each attribute of element["attributes"]:
          
+
+        
            
+         
          1. Append the result of canonicalize a sanitizer
+         attribute with attribute to attributes.
            2. 
+        
          
+       
          3. 
+
+       
        3. Set result["attributes"] to
+       attributes.
          4. 
+      
        
+     
        2. 
+
+     
      2. If element["removeAttributes"]
+     exists, then:
        
+
+      
          
+       
        1. Let attributes be an empty list.
          2. 
+
+       
        2. For each attribute of element["removeAttributes"]:
          
+
+        
            
+         
          1. Append the result of canonicalize a sanitizer
+         attribute with attribute to attributes.
            2. 
+        
          
+       
          3. 
+
+       
        3. Set result["removeAttributes"]
+       to attributes.
          4. 
+      
        
+     
        3. 
+    
      
+   
      3. 
+
+   
    3. If neither result["attributes"] nor
+   result["removeAttributes"]
+   exists, then set result["removeAttributes"]
+   to an empty list.
      4. 
+
+   
    4. Return result.
      5. 
+  
    
+  
    
+
+  
    
+  
    To determine whether a canonical SanitizerConfig config is
+  valid:
    
+
+  
    It's expected that the configuration being passing in has previously been run
+  through the canonicalize the configuration steps. We will simply assert conditions
+  that that algorithm should have guaranteed to hold.
    
+
+  
      
+   
    1. Assert: config["elements"] exists or
+   config["removeElements"] exists.
      2. 
+
+   
    2. If config["elements"] exists and
+   config["removeElements"] exists, then
+   return false.
      3. 
+
+   
    3. Assert: Either config["processingInstructions"]
+   exists or config["removeProcessingInstructions"]
+   exists.
      4. 
+
+   
    4. If config["processingInstructions"]
+   exists and config["removeProcessingInstructions"]
+   exists, then return false.
      5. 
+
+   
    5. Assert: Either config["attributes"] exists or
+   config["removeAttributes"] exists.
      6. 
+
+   
    6. If config["attributes"] exists and
+   config["removeAttributes"] exists, then
+   return false.
      7. 
+
+   
    7. Assert: All SanitizerElementNamespaceWithAttributes,
+   SanitizerElementNamespace, SanitizerProcessingInstruction, and
+   SanitizerAttributeNamespace items in config are canonical, meaning they
+   have been run through canonicalize a sanitizer element, canonicalize a
+   sanitizer processing instruction, or canonicalize a sanitizer attribute, as
+   appropriate.
      8. 
+
+   
    8. If config["elements"] exists:
      
+    
        
+     
      1. If config["elements"]
+     has duplicates, then return false.
        2. 
+    
      
+   
      9. 
+
+   
    9. Otherwise:
      
+    
        
+     
      1. If config["removeElements"] has
+     duplicates, then return false.
        2. 
+    
      
+   
      10. 
+
+   
    10. If config["replaceWithChildrenElements"]
+   exists and has duplicates, then return false.
      11. 
+
+   
    11. If config["processingInstructions"]
+   exists:
      
+    
        
+     
      1. If config["processingInstructions"] has
+     duplicate targets, then return false.
        2. 
+    
      
+   
      12. 
+
+   
    12. Otherwise:
      
+    
        
+     
      1. If config["removeProcessingInstructions"]
+     has duplicate targets, then return false.
        2. 
+    
      
+   
      13. 
+
+   
    13. If config["attributes"] exists:
      
+    
        
+     
      1. If config["attributes"]
+     has duplicates, then return false.
        2. 
+    
      
+   
      14. 
+
+   
    14. Otherwise:
      
+    
        
+     
      1. If config["removeAttributes"] has
+     duplicates, then return false.
        2. 
+    
      
+   
      15. 
+
+   
    15. If config["replaceWithChildrenElements"]
+   exists:
      
+    
        
+     
      1. For each element of config["replaceWithChildrenElements"]:
        
+      
          
+       
        1. If the built-in non-replaceable elements list contains
+       element, then return false.
          2. 
+      
        
+     
        2. 
+
+     
      2. If config["elements"] exists:
        
+      
          
+       
        1. If the intersection of config["elements"] and config["replaceWithChildrenElements"]
+       is not empty, then return false.
          2. 
+      
        
+     
        3. 
+
+     
      3. Otherwise:
        
+      
          
+       
        1. If the intersection of config["removeElements"] and
+       config["replaceWithChildrenElements"]
+       is not empty, then return false.
          2. 
+      
        
+     
        4. 
+    
      
+   
      16. 
+
+   
    16. If config["attributes"]
+   exists:
      
+    
        
+     
      1. Assert: config["dataAttributes"] exists.
        2. 
+
+     
      2. If config["elements"]
+     exists:
        
+      
          
+       
        1. For each element of config["elements"]:
          
+        
            
+         
          1. If element["attributes"]
+         exists and element["attributes"]
+         has duplicates, then return false.
            2. 
+
+         
          2. If element["removeAttributes"]
+         exists and element["removeAttributes"]
+         has duplicates, then return false.
            3. 
+
+         
          3. If the intersection of config["attributes"] and
+         element["attributes"] (or an
+         empty list if it does not exist) is not empty, then return false.
            4. 
+
+         
          4. If element["removeAttributes"]
+         (or an empty list if it does not exist) is not a subset of
+         config["attributes"], then return false.
            5. 
+
+         
          5. If config["dataAttributes"] is true and
+         element["attributes"]
+         contains a custom data attribute, then return false.
            6. 
+        
          
+       
          2. 
+      
        
+     
        3. 
+
+     
      3. If config["dataAttributes"] is true and
+     config["attributes"] contains a
+     custom data attribute, then return false.
        4. 
+    
      
+   
      17. 
+
+   
    17. Otherwise:
      
+    
        
+     
      1. If config["elements"]
+     exists:
        
+      
          
+       
        1. For each element of config["elements"]:
          
+        
            
+         
          1. If element["attributes"]
+         exists and element["removeAttributes"]
+         exists, then return false.
            2. 
+
+         
          2. If element["attributes"]
+         exists and element["attributes"]
+         has duplicates, then return false.
            3. 
+
+         
          3. If element["removeAttributes"]
+         exists and element["removeAttributes"]
+         has duplicates, then return false.
            4. 
+
+         
          4. If the intersection of config["removeAttributes"] and
+         element["attributes"] (or an
+         empty list if it does not exist) is not empty, then return false.
            5. 
+
+         
          5. If the intersection of config["removeAttributes"] and
+         element["removeAttributes"]
+         (or an empty list if it does not exist) is not empty, then return false.
            6. 
+        
          
+       
          2. 
+      
        
+     
        2. 
+
+     
      2. If config["dataAttributes"] exists, then
+     return false.
        3. 
+    
      
+   
      18. 
+
+   
    18. Return true.
      19. 
+  
    
+  
    
+
+  
    A list list has duplicates if it contains two or more items that are
+  equal.
    
+
+  
    A list list has duplicate targets if it contains two or more
+  SanitizerProcessingInstruction items with the same target member.
    
+
+  
    The intersection of two lists A and B containing
+  SanitizerElement or SanitizerAttribute items is a list containing all
+  items that are present in both A and B.
    
+
+  
    A list A is a subset of a list B if every item in A
+  is also present in B.
    
+
+  
    To compute the difference of two lists A and
+  B:
    
+
+  
      
+   
    1. Let result be an empty list.
      2. 
+
+   
    2. For each item of A:
      
+    
        
+     
      1. If B does not contain item, then
+     append item to result.
        2. 
+    
      
+   
      3. 
+
+   
    3. Return result.
      4. 
+  
    
+
+  
    Two lists A and B are equal if A
+  is a subset of B and B is a subset of
+  A.
    
+
+  
    The built-in non-replaceable elements list contains elements that must not be
+  replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree.
+  It is the following list of SanitizerElementNamespace dictionaries:
    
+
+  
      
+   
    • { name: "html", _namespace: HTML
+   namespace }
      • 
+
+   
    • { name: "svg", _namespace: SVG
+   namespace }
      • 
+
+   
    • { name: "math", _namespace: MathML
+   namespace }
      • 
+  
    
 
   
    Security consideration
    
 

From 5747e44ea0c38ae530831ce121f78d0f193e351b Mon Sep 17 00:00:00 2001
From: Noam Rosenthal 
Date: Tue, 21 Apr 2026 14:16:13 +0100
Subject: [PATCH 04/35] Upstream sanitizer

---
 source | 58 +++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 45 insertions(+), 13 deletions(-)

diff --git a/source b/source
index 32b9a5a2679..d0e1600d4e7 100644
--- a/source
+++ b/source
@@ -125724,11 +125724,13 @@ interface Sanitizer {
   
    A Sanitizer has an associated configuration
   (a SanitizerConfig).
    
 
+ 
    
   
    The new Sanitizer(configuration)
   constructor steps are:
    
 
   
      
-   
    1. If configuration is a SanitizerPresets string, then:
      
+   
    2. 
+    
      If configuration is a SanitizerPresets string, then:
      
 
     
        
      
      1. Assert: configuration is
@@ -125742,8 +125744,9 @@ interface Sanitizer {
    
      2. If set a configuration configuration with true and
    this is false, then throw a TypeError.
        3. 
   
      
+ 
    
 
-  
    
+ 
    
   
    The allowProcessingInstruction(pi)
   method steps are:
    
@@ -126281,7 +126284,7 @@ dictionary SanitizerConfig {
        data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes    "]
        exists, then set element["attributes"] to the
-       result of sort in ascending order element["sort in ascending order element["attributes"], with
        attrA being less than item attrB.
    
 
@@ -126289,14 +126292,14 @@ dictionary SanitizerConfig {
        data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes    "]
        exists, then set element["removeAttributes"]
-       to the result of sort in ascending order element["sort in ascending order element["removeAttributes"],
        with attrA being less than item attrB.
    
       
      
 
      
  • Set config["elements"] to
-     the result of sort in ascending order config["sort in ascending order config["elements"], with elementA being
      less than item elementB.
    • 
     
@@ -126316,7 +126319,7 @@ dictionary SanitizerConfig {
    data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements"]
    exists, then set config["replaceWithChildrenElements"] to
-   the result of sort in ascending order config["sort in ascending order config["replaceWithChildrenElements"],
    with elementA being less than item elementB.
    
 
@@ -126324,7 +126327,7 @@ dictionary SanitizerConfig {
    data-x="dom-SanitizerConfig-processingInstructions">processingInstructions    "]
    exists, then set config["processingInstructions"] to the result
-   of sort in ascending order config["sort in ascending order config["processingInstructions"], with
    piA["target"] being
    ASCII code unit less than piB["SanitizerConfig {
     
      
      
    1. Set config["removeProcessingInstructions"]
-     to the result of sort in ascending order config["sort in ascending order config["removeProcessingInstructions"],
      with piA["target"] being ASCII code unit
@@ -126354,7 +126357,7 @@ dictionary SanitizerConfig {
     
        
      
      1. Set config["removeAttributes"] to the result of
-     sort in ascending order config["sort in ascending order config["removeAttributes"], with
      attrA being less than item attrB.
        2. 
     
      
@@ -127462,7 +127465,7 @@ dictionary SanitizerConfig {
 
   
      It's expected that the configuration being passing in has previously been run
   through the canonicalize the configuration steps. We will simply assert conditions
-  that that algorithm should have guaranteed to hold.
      
+  that that algorithm is guaranteed to hold.
      
 
   
        
    
      1. Assert: config["SanitizerConfig {
   
      
   
    
 
+  
    
   
    A list list has duplicates if it contains two or more items that are
   equal.
    
+  
    
+
+ 
    
+ 
    To remove duplicates from a list list, run the following steps:
    
+
+ 
      
+  
    1. Let result be an empty list.
      2. 
+
+  
    2. For each item of list:
      
+   
        
+    
      1. If result does not contain item, then
+    append item to result.
        2. 
+   
      
+  
      3. 
+
+  
    3. Return result.
      4. 
+ 
    
+ 
    
 
+  
    
   
    A list list has duplicate targets if it contains two or more
   SanitizerProcessingInstruction items with the same target member.
    
+  
    
 
-  
    The intersection of two lists A and B containing
-  SanitizerElement or SanitizerAttribute items is a list containing all
-  items that are present in both A and B.
    
+  
    
+  
    The intersection of two lists A and B containing
+  SanitizerElement or SanitizerAttribute items is a list containing
+  all items that are present in both A and B.
    
+  
    
 
+  
    
   
    A list A is a subset of a list B if every item in A
   is also present in B.
    
+  
    
 
+  
    
   
    To compute the difference of two lists A and
   B:
    
 
@@ -127728,10 +127757,13 @@ dictionary SanitizerConfig {
 
    
  • Return result.
    • 
   
+ 
    
 
+ 
    
   
    Two lists A and B are equal if A
   is a subset of B and B is a subset of
   A.
    
+ 
    
 
   
    The built-in non-replaceable elements list contains elements that must not be
   replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree.

From 09f526318a9b4bc8f43b4d33de260fa4a0b15960 Mon Sep 17 00:00:00 2001
From: Noam Rosenthal 
Date: Tue, 21 Apr 2026 14:23:38 +0100
Subject: [PATCH 05/35] Remove TODO

---
 source | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/source b/source
index d0e1600d4e7..534392f5493 100644
--- a/source
+++ b/source
@@ -127783,10 +127783,6 @@ dictionary SanitizerConfig {
    namespace }
    
   
 
-  
    Security consideration
    
-
-  TODO
-
   
    Timers
    
 
   
    The setTimeout() and 
Date: Tue, 21 Apr 2026 14:24:14 +0100
Subject: [PATCH 06/35] specfmt

---
 source | 527 ++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 295 insertions(+), 232 deletions(-)

diff --git a/source b/source
index 534392f5493..bda1375d895 100644
--- a/source
+++ b/source
@@ -124886,29 +124886,27 @@ enum DOMParserSupportedType {
   
    Unsafe HTML parsing methods
    
 
   
    
-   
    element.setHTMLUnsafe(html, options)
    
+   
    element.setHTMLUnsafe(html, options)
    
 
    
    
-    
    Parses html using the HTML parser with options options, and replaces the children of element
-    with the result. element provides context for the HTML parser.
    
+    
    Parses html using the HTML parser with options options, and replaces
+    the children of element with the result. element provides context for the
+    HTML parser.
    
    
    
 
-   
    shadowRoot.setHTMLUnsafe(html, options)
    
+   
    shadowRoot.setHTMLUnsafe(html, options)
    
 
    
    
-    
    Parses html using the HTML parser with options options, and replaces the children of
-    shadowRoot with the result. shadowRoot's Parses html using the HTML parser with options options, and replaces
+    the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser.
    
    
    
 
-   
    doc = Document.parseHTMLUnsafe(html, options)
    
+   
    doc = Document.parseHTMLUnsafe(html, options)
    
 
    
    
-    
    Parses html using the HTML parser with options options, and returns the resulting
-    Document.
    
+    
    Parses html using the HTML parser with options options, and returns the
+    resulting Document.
    
 
     
    Note that script elements are not evaluated during parsing, and the resulting
     document's encoding will always be
@@ -124924,8 +124922,8 @@ enum DOMParserSupportedType {
 
   
    
   
    Element's setHTMLUnsafe(html, options) method steps
-  are:
    
+  data-x="dom-Element-setHTMLUnsafe">setHTMLUnsafe(html, options)    
+  method steps are:
    
 
   
      
    
    1. Let compliantHTML be the result of invoking the DOMParserSupportedType {
 
   
      
   
      ShadowRoot's setHTMLUnsafe(html, options) method steps
-  are:
      
+  data-x="dom-ShadowRoot-setHTMLUnsafe">setHTMLUnsafe(html,
+  options)       method steps are:
      
 
   
        
    
      1. Let compliantHTML be the result of invoking the DOMParserSupportedType {
    data-x="">script".
        2. 
 
    
      2. Set and filter HTML given this, this's shadow host, compliantHTML, options, and false.
        3. 
+   data-x="concept-DocumentFragment-host">shadow host, compliantHTML,
+   options, and false.
        
   
      
   
      
 
   
      
   
      Element's setHTML(html, options) method steps
-  are:
      
+  data-x="dom-Element-setHTML">setHTML(html, options)       method
+  steps are:
      
 
   
        
    
      1. Let target be this's template contents if
@@ -124975,12 +124974,13 @@ enum DOMParserSupportedType {
 
   
        
   
        ShadowRoot's setHTML(html, options) method steps
-  are:
        
+  data-x="dom-ShadowRoot-setHTML">setHTML(html, options) method
+  steps are:
        
 
   
          
    
        1. Set and filter HTML given this, this's shadow host, html, options, and true.
          2. 
+   data-x="concept-DocumentFragment-host">shadow host, html, options,
+   and true.
          
   
        
   
        
 
@@ -124988,7 +124988,8 @@ enum DOMParserSupportedType {
 
   
        
   
        The static parseHTMLUnsafe(html, options) method steps are:
        
+  data-x="dom-parseHTMLUnsafe">parseHTMLUnsafe(html, options)        
+  method steps are:
        
 
   
          
    
        1. Let compliantHTML be the result of invoking the DOMParserSupportedType {
    
        2. Parse HTML from a string given document and
    compliantHTML.
          3. 
 
-   
        3. Let sanitizer be the result of calling get a sanitizer instance from options
-      with options and false.
          4. 
+   
        4. Let sanitizer be the result of calling get a sanitizer instance from
+   options with options and false.
          5. 
 
-   
        5. Call sanitize on document with sanitizer and false.
          6. 
+   
        6. Call sanitize on document with sanitizer and
+   false.
          7. 
 
    
        7. Return document.
          8. 
   
        
   
        
 
   
        
-  
        The static parseHTML(html, options) method steps
-  are:
        
+  
        The static parseHTML(html,
+  options) method steps are:
        
 
   
          
    
        1. 
@@ -125063,17 +125064,14 @@ enum DOMParserSupportedType {
   
          Safe HTML parsing methods
          
 
   
          
-   
          element.setHTML(html, options)
          
-   
          shadowRoot.setHTML(html, options)
          
+   
          element.setHTML(html, options)
          
+   
          shadowRoot.setHTML(html, options)
          
    
          
     
          Parses html using the HTML parser with options options, and replaces
     the children of the element or shadow root with the result, which is then sanitized.
          
    
          
 
-   
          doc = Document.parseHTML(html, options)
          
+   
          doc = Document.parseHTML(html, options)
          
    
          
     
          Parses html using the HTML parser with options options, and returns a
     new Document containing the result, which is then sanitized.
          
@@ -125645,9 +125643,9 @@ interface XMLSerializer {
 
   
          Web applications often need to work with strings of HTML on the client side, perhaps as part of
   a client-side templating solution, or perhaps as part of rendering user-generated content. It is
-  difficult to do so in a safe way. The naive approach of joining strings together and stuffing
-  them into an element's innerHTML is fraught with risk,
-  as it can cause script execution in a number of unexpected ways.
          
+  difficult to do so in a safe way. The naive approach of joining strings together and stuffing them
+  into an element's innerHTML is fraught with risk, as
+  it can cause script execution in a number of unexpected ways.
          
 
   
          Libraries like DOMPurify attempt to manage this problem by carefully parsing and
   sanitizing strings before insertion, by constructing a DOM and filtering its members through an
@@ -125658,10 +125656,9 @@ interface XMLSerializer {
   features.
          
 
   
          The browser has a fairly good idea of when it is going to execute code. We can improve upon
-  user-space libraries by teaching the browser how to render HTML from an arbitrary string in a
-  safe manner, and do so in a way that is much more likely to be maintained and updated along with
-  the browser's own changing parser implementation. The APIs in this section aim to do just
-  that.
          
+  user-space libraries by teaching the browser how to render HTML from an arbitrary string in a safe
+  manner, and do so in a way that is much more likely to be maintained and updated along with the
+  browser's own changing parser implementation. The APIs in this section aim to do just that.
          
 
   
          The goals of these APIs are:
          
 
@@ -125675,13 +125672,13 @@ interface XMLSerializer {
 
    
        2. Allow developers to override the default set of elements and attributes. Adding certain
    elements and attributes can prevent script gadget
-   attacks.
          3. 
+   href="https://github.com/google/security-research-pocs/tree/master/script-gadgets">script
+   gadget attacks.
          3. 
   
 
-  
          These APIs offer functionality to parse a string containing HTML into a DOM tree, and to
-  filter the resulting tree according to a user-supplied configuration. The methods come in two
-  main flavors:
          
+  
          These APIs offer functionality to parse a string containing HTML into a DOM tree, and to filter
+  the resulting tree according to a user-supplied configuration. The methods come in two main
+  flavors:
          
 
   
          
    
          Safe and unsafe
          
@@ -125721,20 +125718,20 @@ interface Sanitizer {
   boolean removeUnsafe();
 };
    -

    A Sanitizer has an associated configuration - (a SanitizerConfig).

    +

    A Sanitizer has an associated configuration (a + SanitizerConfig).

    -

    The new Sanitizer(configuration) - constructor steps are:

    +

    The new + Sanitizer(configuration) constructor steps are:

    1. If configuration is a SanitizerPresets string, then:

        -

      1. Assert: configuration is - "default".

        2. +

      2. Assert: configuration is "default".

      3. Set configuration to the built-in safe default configuration.

        4. @@ -125758,12 +125755,13 @@ interface Sanitizer { instruction with pi.

      4. If configuration["processingInstructions"] exists, then:

        + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions        "] + exists, then:

        1. If configuration["processingInstructions"] contains - pi, then return false.

          2. + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions          "] + contains pi, then return false.

        2. Append pi to configuration["processingInstructions"].

          3. @@ -125776,15 +125774,15 @@ interface Sanitizer {

          1. If configuration["removeProcessingInstructions"] contains - pi, then:

            + data-x="dom-SanitizerConfig-removeProcessingInstructions">removeProcessingInstructions"] + contains pi, then:

            1. Remove the item from configuration["removeProcessingInstructions"] whose target member is - pi's target member.

              2. + pi's target + member.

            2. Return true.

            @@ -125808,19 +125806,20 @@ interface Sanitizer { instruction with pi.

          2. If configuration["processingInstructions"] exists, then:

            + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions            "] + exists, then:

            1. If configuration["processingInstructions"] contains - pi, then:

              + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] + contains pi, then:

              1. Remove the item from configuration["processingInstructions"] - whose target member is - pi's target member.

                2. + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] whose + target member is + pi's target + member.

              2. Return true.

              @@ -125834,8 +125833,8 @@ interface Sanitizer {

              1. If configuration["removeProcessingInstructions"] contains - pi, then return false.

                2. + data-x="dom-SanitizerConfig-removeProcessingInstructions">removeProcessingInstructions"] + contains pi, then return false.

              2. Append pi to configuration["removeProcessingInstructions"].

                3. @@ -125847,9 +125846,9 @@ interface Sanitizer {
    -

    To set a configuration, given a dictionary - configuration, a boolean allowCommentsPIsAndDataAttributes, and a - Sanitizer sanitizer:

    +

    To set a configuration, given a dictionary configuration, + a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer + sanitizer:

    1. Canonicalize the configuration configuration with @@ -125857,7 +125856,8 @@ interface Sanitizer {

    2. If configuration is not valid, then return false.

      3. -

    3. Set sanitizer's configuration to configuration.

      4. +

    4. Set sanitizer's configuration to + configuration.

    5. Return true.

    @@ -125877,8 +125877,8 @@ interface Sanitizer { -

  • If configuration["elements"] exists, then:

    +

  • If configuration["elements"] + exists, then:

    1. For each element in configuration["elements"]:

      @@ -125900,14 +125900,15 @@ interface Sanitizer {

    2. If neither configuration["elements"] nor configuration["removeElements"] exists, then set - configuration["removeElements"] - to an empty list.

      3. + configuration["removeElements"] to an empty list.

    3. If neither configuration["attributes"] nor configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to an empty list.

      4. + data-x="dom-SanitizerConfig-removeAttributes">removeAttributes"] to an empty + list.

    4. If neither configuration["processingInstructions"] nor @@ -125926,9 +125927,8 @@ interface Sanitizer {

    • -

  • If configuration["comments"] does not exist, set it to - allowCommentsPIsAndDataAttributes.

    • +

  • If configuration["comments"] + does not exist, set it to allowCommentsPIsAndDataAttributes.

  • If configuration["dataAttributes"] does not exist, @@ -125967,7 +125967,8 @@ interface Sanitizer {

    • -

    In order to canonicalize a sanitizer processing instruction pi, run the following steps:

    +

    In order to canonicalize a sanitizer processing instruction pi, run the + following steps:

    1. If pi is a string, then set pi to a new @@ -126026,11 +126027,12 @@ dictionary SanitizerConfig {

      Configuration invariants
      -

      Configurations can and ought to be modified by developers to suit their purposes. Options are to - write a new SanitizerConfig dictionary from scratch, to modify an existing +

      Configurations can and ought to be modified by developers to suit their purposes. Options are + to write a new SanitizerConfig dictionary from scratch, to modify an existing Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's configuration - as a dictionary and modify the dictionary and then create a new Sanitizer with it.

      + data-x="dom-Sanitizer-get">get() an existing Sanitizer's + configuration as a dictionary and modify the dictionary and then create a new + Sanitizer with it.

      An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "SanitizerConfig { configuration. Note that "safe" and "unsafe" sanitizer methods have different defaults.

      Not all configuration dictionaries are valid. A valid configuration avoids redundancy (like - specifying the same element to be allowed twice) and contradictions (like specifying an element - to be both removed and allowed.)

      + specifying the same element to be allowed twice) and contradictions (like specifying an element to + be both removed and allowed.)

      Several conditions need to hold for a configuration to be valid:

      @@ -126174,9 +126176,9 @@ dictionary SanitizerConfig { -

      The dataAttributes setting allows custom data attributes. The rules above easily extends to - custom data attributes if one considers The dataAttributes setting allows + custom data attributes. The rules above easily extends + to custom data attributes if one considers dataAttributes to be an allow-list:

      @@ -126259,8 +126261,8 @@ dictionary SanitizerConfig {
      -

      The get() method steps - are:

      +

      The get() method + steps are:

      Outside of the get() method, the order of the Sanitizer's elements and attributes is unobservable. By explicitly sorting the @@ -126292,7 +126294,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] exists, then set element["removeAttributes"] - to the result of sort in ascending order element["sort in ascending order + element["removeAttributes"], with attrA being less than item attrB.

      @@ -126310,8 +126313,8 @@ dictionary SanitizerConfig {

    2. Set config["removeElements"] to the result of sort in ascending order config["removeElements"], with - elementA being less than item elementB.

      3. + data-x="dom-SanitizerConfig-removeElements">removeElements      "], with elementA + being less than item elementB.

      @@ -126337,11 +126340,11 @@ dictionary SanitizerConfig {

      1. Set config["removeProcessingInstructions"] - to the result of sort in ascending order config["sort in ascending order + config["removeProcessingInstructions"], - with piA["target"] being ASCII code unit - less than piB["piA["target"] + being ASCII code unit less than piB["target"].

      @@ -126356,10 +126359,10 @@ dictionary SanitizerConfig {

    3. Otherwise:

      1. Set config["removeAttributes"] to the result of - sort in ascending order config["removeAttributes"], with - attrA being less than item attrB.

        2. + data-x="dom-SanitizerConfig-removeAttributes">removeAttributes        "] to the result of sort in ascending order config["removeAttributes"], with attrA + being less than item attrB.

      4. @@ -126380,8 +126383,7 @@ dictionary SanitizerConfig {

    4. Otherwise:

        -

      1. If itemB's namespace member is null, then return - false.

        2. +

      2. If itemB's namespace member is null, then return false.

      3. If itemA's namespace member is ASCII code unit less than itemB's namespace member, then return true.

        4. @@ -126409,8 +126411,8 @@ dictionary SanitizerConfig {

      4. Set element to the result of canonicalize a sanitizer element with attributes with element.

        5. -

      5. If configuration["elements"] exists, then:

        +

      6. If configuration["elements"] + exists, then:

        1. Let modified be the result of SanitizerConfig/remove @@ -126538,8 +126540,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespace-name">name member is element's name member and whose _namespace member is - element's _namespace member.

          2. + element's _namespace + member.

        2. If element is equal to current element, then return modified.

          3. @@ -126599,8 +126601,8 @@ dictionary SanitizerConfig {

        3. Assert: configuration is valid.

          4. -

        4. Set element to the result of canonicalize a sanitizer - element with element.

          5. +

        5. Set element to the result of canonicalize a sanitizer element with + element.

        6. If the built-in non-replaceable elements list contains element, then return false.

          7. @@ -126640,8 +126642,8 @@ dictionary SanitizerConfig {

        7. Assert: configuration is valid.

          8. -

        8. Set attribute to the result of canonicalize a sanitizer - attribute with attribute.

          9. +

        9. Set attribute to the result of canonicalize a sanitizer attribute + with attribute.

        10. If configuration["attributes"] exists, then:

          @@ -126714,9 +126716,8 @@ dictionary SanitizerConfig {

        11. Assert: configuration is valid.

          12. -

        12. If configuration["comments"] exists and is equal to - allow, then return false.

          13. +

        13. If configuration["comments"] + exists and is equal to allow, then return false.

        14. Set configuration["comments"] to allow.

          15. @@ -126771,8 +126772,8 @@ dictionary SanitizerConfig {

          The removeUnsafe() method steps are to update - this's configuration with the result of remove unsafe - from this's configuration.

          + this's configuration with the result of remove unsafe from + this's configuration.

          Sanitization algorithms

          @@ -126780,12 +126781,12 @@ dictionary SanitizerConfig {

          To set and filter HTML, given an Element or DocumentFragment target, an Element - contextElement, a string html, a dictionary - options, and a boolean safe:

          + contextElement, a string html, a dictionary options, + and a boolean safe:

            -

          1. If safe is true, contextElement's local name is - "script", and contextElement's namespace is the +

          2. If safe is true, contextElement's local name is "script", and contextElement's namespace is the HTML namespace or the SVG namespace, then return.

          3. Let sanitizer be the result of calling get a sanitizer instance from @@ -126809,16 +126810,15 @@ dictionary SanitizerConfig {

          -

          To get a sanitizer instance from options from a dictionary - options with a boolean safe:

          +

          To get a sanitizer instance from options from a dictionary options with a + boolean safe:

          1. Let sanitizerSpec be "default".

            2. -

          2. If options["sanitizer"] exists, then set - sanitizerSpec to options["

            If options["sanitizer"] + exists, then set sanitizerSpec to options["sanitizer"].

          3. Assert: sanitizerSpec is either a Sanitizer instance, @@ -126840,8 +126840,8 @@ dictionary SanitizerConfig {

            1. Let sanitizer be a new Sanitizer instance.

              2. -

            2. If set a configuration sanitizerSpec with - (not safe) and sanitizer is false, then throw a +

            3. If set a configuration sanitizerSpec with (not + safe) and sanitizer is false, then throw a TypeError.

            4. Set sanitizerSpec to sanitizer.

              5. @@ -126853,11 +126853,12 @@ dictionary SanitizerConfig {
          -

          To sanitize a ParentNode node with a - Sanitizer sanitizer and a boolean safe:

          +

          To sanitize a ParentNode node with a Sanitizer + sanitizer and a boolean safe:

            -

          1. Let configuration be sanitizer's configuration.

            2. +

          2. Let configuration be sanitizer's + configuration.

          3. Assert: configuration is valid.

            4. @@ -126892,8 +126893,8 @@ dictionary SanitizerConfig {

            1. If configuration["comments"] is not true, then - remove child.

              2. + data-x="dom-SanitizerConfig-comments">comments              "] is not true, then remove + child.

            @@ -126908,8 +126909,9 @@ dictionary SanitizerConfig {

            1. If configuration["processingInstructions"] does not - contain piTarget, then remove child.

              2. + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] does + not contain piTarget, then remove + child.

            @@ -126981,10 +126983,9 @@ dictionary SanitizerConfig {

          4. If configuration["elements"] exists and - configuration["elements"] contains - elementName, then set elementWithLocalAttributes to - configuration["configuration["elements"] + contains elementName, then set elementWithLocalAttributes + to configuration["elements"][elementName].

          5. For each attribute in child's attribute @@ -127008,12 +127009,12 @@ dictionary SanitizerConfig {

          6. If configuration["attributes"] does not contain attrName and elementWithLocalAttributes["attributes"] - does not contain attrName, and if "data-" is not a prefix of attribute's local - name or attribute's namespace is not null or - configuration["dataAttributes"] - is not true, then remove an attribute attribute.

            7. + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes            "] does + not contain attrName, and if "data-" is + not a prefix of attribute's local name or attribute's + namespace is not null or configuration["dataAttributes"] is not true, then + remove an attribute attribute.

          @@ -127022,9 +127023,9 @@ dictionary SanitizerConfig {

        15. If elementWithLocalAttributes["attributes"] exists and elementWithLocalAttributes["attributes"] - does not contain attrName, then remove an - attribute attribute.

          16. + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] does + not contain attrName, then remove an attribute + attribute.

        16. Otherwise, if configuration["removeAttributes"] @@ -127035,17 +127036,16 @@ dictionary SanitizerConfig {

        17. If handleJavascriptNavigationUrls is true, then:

            -

          1. If the pair (elementName, attrName) matches an entry in - the built-in navigating URL attributes list, and if attribute +

          2. If the pair (elementName, attrName) matches an entry in the + built-in navigating URL attributes list, and if attribute contains a javascript: URL, then remove an attribute attribute.

            3. -

          3. If child's namespace is the MathML - Namespace, attribute's local name is "href", and attribute's namespace is null or - the XLink namespace, and attribute contains a - javascript: URL, then remove an attribute - attribute.

            4. +

          4. If child's namespace is the MathML Namespace, + attribute's local name is "href", and + attribute's namespace is null or the XLink + namespace, and attribute contains a javascript: URL, then + remove an attribute attribute.

          5. If the built-in animating URL attributes list contains the pair (elementName, attrName), and attribute's @@ -127057,8 +127057,8 @@ dictionary SanitizerConfig {

          18. -

        18. Call sanitize core on child with configuration - and handleJavascriptNavigationUrls.

          19. +

        19. Call sanitize core on child with configuration and + handleJavascriptNavigationUrls.

      @@ -127091,13 +127091,27 @@ dictionary SanitizerConfig {

      A list of SanitizerElementNamespace dictionaries:

        -

      • { name: "embed", _namespace: HTML namespace }

        • -

      • { name: "frame", _namespace: HTML namespace }

        • -

      • { name: "iframe", _namespace: HTML namespace }

        • -

      • { name: "object", _namespace: HTML namespace }

        • -

      • { name: "script", _namespace: HTML namespace }

        • -

      • { name: "script", _namespace: SVG namespace }

        • -

      • { name: "use", _namespace: SVG namespace }

        • +

      • { name: "embed", _namespace: HTML namespace + }

        • +

      • { name: "frame", _namespace: HTML namespace + }

        • +

      • { name: "iframe", _namespace: HTML namespace + }

        • +

      • { name: "object", _namespace: HTML namespace + }

        • +

      • { name: "script", _namespace: HTML namespace + }

        • +

      • { name: "script", _namespace: SVG namespace + }

        • +

      • { name: "use", _namespace: SVG namespace + }

      @@ -127113,51 +127127,102 @@ dictionary SanitizerConfig {
      elements
      -

      A list of SanitizerElementWithAttributes dictionaries, representing a safe subset of HTML, SVG, and MathML elements.

      +

      A list of SanitizerElementWithAttributes dictionaries, representing a safe + subset of HTML, SVG, and MathML elements.

      attributes
      -

      A list of SanitizerAttributeNamespace dictionaries, representing a safe subset of HTML, SVG, and MathML attributes.

      +

      A list of SanitizerAttributeNamespace dictionaries, representing a safe + subset of HTML, SVG, and MathML attributes.

      comments

      true

      The exact contents of the built-in safe default configuration are - intended to be a conservative subset of the web platform that is known to be safe. It is - subject to change as the platform evolves.

      + intended to be a conservative subset of the web platform that is known to be safe. It is subject + to change as the platform evolves.

      The navigating URL attributes list is a list of pairs of a SanitizerElementNamespace and a SanitizerAttributeNamespace:

        -

      • ({ name: "a", _namespace: HTML namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "area", _namespace: HTML namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "form", _namespace: HTML namespace }, { name: "action", _namespace: null })

        • -

      • ({ name: "input", _namespace: HTML namespace }, { name: "formaction", _namespace: null })

        • -

      • ({ name: "button", _namespace: HTML namespace }, { name: "formaction", _namespace: null })

        • +

      • ({ name: "a", _namespace: HTML namespace + }, { name: "href", _namespace: null })

        • +

      • ({ name: "area", _namespace: HTML namespace + }, { name: "href", _namespace: null })

        • +

      • ({ name: "form", _namespace: HTML namespace + }, { name: "action", _namespace: null })

        • +

      • ({ name: "input", _namespace: HTML namespace + }, { name: "formaction", _namespace: null })

        • +

      • ({ name: "button", _namespace: HTML namespace + }, { name: "formaction", _namespace: null })

      The animating URL attributes list is a list of pairs of a SanitizerElementNamespace and a SanitizerAttributeNamespace:

        -

      • ({ name: "animate", _namespace: SVG namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "animate", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })

        • -

      • ({ name: "animateMotion", _namespace: SVG namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "animateMotion", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })

        • -

      • ({ name: "animateTransform", _namespace: SVG namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "animateTransform", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })

        • -

      • ({ name: "set", _namespace: SVG namespace }, { name: "href", _namespace: null })

        • -

      • ({ name: "set", _namespace: SVG namespace }, { name: "xlink:href", _namespace: "http://www.w3.org/1999/xlink" })

        • +

      • ({ name: "animate", _namespace: SVG namespace }, + { name: "href", _namespace: null })

        • +

      • ({ name: "animate", _namespace: SVG namespace }, + { name: "xlink:href", _namespace: + "http://www.w3.org/1999/xlink" })

        • +

      • ({ name: "animateMotion", _namespace: SVG namespace }, + { name: "href", _namespace: null })

        • +

      • ({ name: "animateMotion", _namespace: SVG namespace }, + { name: "xlink:href", _namespace: + "http://www.w3.org/1999/xlink" })

        • +

      • ({ name: "animateTransform", + _namespace: SVG + namespace }, { name: "href", + _namespace: null })

        • +

      • ({ name: "animateTransform", + _namespace: SVG + namespace }, { name: + "xlink:href", _namespace: + "http://www.w3.org/1999/xlink" })

        • +

      • ({ name: "set", _namespace: SVG namespace }, + { name: "href", _namespace: null })

        • +

      • ({ name: "set", _namespace: SVG namespace }, + { name: "xlink:href", _namespace: + "http://www.w3.org/1999/xlink" })

      The built-in non-replaceable elements list is a list of SanitizerElementNamespace dictionaries:

        -

      • { name: "html", _namespace: HTML namespace }

        • -

      • { name: "head", _namespace: HTML namespace }

        • -

      • { name: "body", _namespace: HTML namespace }

        • +

      • { name: "html", _namespace: HTML namespace + }

        • +

      • { name: "head", _namespace: HTML namespace + }

        • +

      • { name: "body", _namespace: HTML namespace + }

      @@ -127167,15 +127232,15 @@ dictionary SanitizerConfig {

      1. Assert: configuration is valid.

        2. -

      2. Set element to the result of canonicalize a sanitizer - element with element.

        3. +

      3. Set element to the result of canonicalize a sanitizer element with + element.

      4. Let modified be the result of SanitizerConfig/remove element from configuration["replaceWithChildrenElements"].

        5. -

      5. If configuration["elements"] exists, then:

        +

      6. If configuration["elements"] + exists, then:

        1. If configuration["SanitizerConfig {

          1. Assert: configuration is valid.

            2. -

          2. Set attribute to the result of canonicalize a sanitizer - attribute with attribute.

            3. +

          3. Set attribute to the result of canonicalize a sanitizer attribute + with attribute.

          4. If configuration["attributes"] exists, then:

            @@ -127293,8 +127358,8 @@ dictionary SanitizerConfig {

          5. If element["removeAttributes"] - (or an empty list if it does not exist) contains attribute, - then remove attribute from element["contains attribute, then + remove attribute from element["removeAttributes"].

          2. @@ -127395,8 +127460,8 @@ dictionary SanitizerConfig { SanitizerElementWithAttributes element:

            -

          1. Let result be the result of canonicalize a sanitizer - element with element.

            2. +

          2. Let result be the result of canonicalize a sanitizer element with + element.

          3. If element is a dictionary, then:

            @@ -127412,8 +127477,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes            "]:

              -

            1. Append the result of canonicalize a sanitizer - attribute with attribute to attributes.

              2. +

            2. Append the result of canonicalize a sanitizer attribute + with attribute to attributes.

            4. @@ -127434,8 +127499,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes            "]:

              -

            1. Append the result of canonicalize a sanitizer - attribute with attribute to attributes.

              2. +

            2. Append the result of canonicalize a sanitizer attribute + with attribute to attributes.

            @@ -127460,8 +127525,8 @@ dictionary SanitizerConfig {
      -

      To determine whether a canonical SanitizerConfig config is - valid:

      +

      To determine whether a canonical SanitizerConfig config is valid:

      It's expected that the configuration being passing in has previously been run through the canonicalize the configuration steps. We will simply assert conditions @@ -127470,12 +127535,11 @@ dictionary SanitizerConfig {

      1. Assert: config["elements"] exists or - config["removeElements"] exists.

        2. + config["removeElements"] + exists.

        -

      2. If config["elements"] exists and - config["

        If config["elements"] + exists and config["removeElements"] exists, then return false.

        3. @@ -127493,12 +127557,11 @@ dictionary SanitizerConfig {

      3. Assert: Either config["attributes"] exists or - config["removeAttributes"] exists.

        4. + config["removeAttributes"] + exists.

        -

      4. If config["attributes"] exists and - config["

        If config["attributes"] + exists and config["removeAttributes"] exists, then return false.

        5. @@ -127509,8 +127572,8 @@ dictionary SanitizerConfig { sanitizer processing instruction, or canonicalize a sanitizer attribute, as appropriate.

        -

      5. If config["elements"] exists:

        +

      6. If config["elements"] + exists:

        1. If config["elements"] has duplicates, then return false.

          2. @@ -127547,8 +127610,8 @@ dictionary SanitizerConfig {
        7. -

      7. If config["attributes"] exists:

        +

      8. If config["attributes"] + exists:

        1. If config["attributes"] has duplicates, then return false.

          2. @@ -127575,8 +127638,8 @@ dictionary SanitizerConfig {
        9. -

      9. If config["elements"] exists:

        +

      10. If config["elements"] + exists:

        1. If the intersection of config["elements"] and config["SanitizerConfig { exists:

          1. Assert: config["dataAttributes"] exists.

            2. + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes            "] + exists.

          2. If config["elements"] exists:

            @@ -127622,16 +127686,15 @@ dictionary SanitizerConfig { has duplicates, then return false.

          3. If the intersection of config["attributes"] and - element["attributes"] and element["attributes"] (or an empty list if it does not exist) is not empty, then return false.

          4. If element["removeAttributes"] (or an empty list if it does not exist) is not a subset of - config["attributes"], then return false.

            5. + config["attributes"], then + return false.

          5. If config["dataAttributes"] is true and @@ -127750,8 +127813,8 @@ dictionary SanitizerConfig {

          6. For each item of A:

              -

            1. If B does not contain item, then - append item to result.

              2. +

            2. If B does not contain item, then append + item to result.

            7. @@ -127771,16 +127834,16 @@ dictionary SanitizerConfig {

            • { name: "html", _namespace: HTML - namespace }

              • + data-x="dom-SanitizerElementNamespace-namespace">_namespace              : HTML namespace + }

            • { name: "svg", _namespace: SVG - namespace }

              • + data-x="dom-SanitizerElementNamespace-namespace">_namespace              : SVG namespace + }

            • { name: "math", _namespace: MathML - namespace }

              • + data-x="dom-SanitizerElementNamespace-namespace">_namespace: MathML namespace + }

            Timers

            From 6a808da972755794a281dda5e682268f17bed6d1 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 15:19:02 +0100 Subject: [PATCH 07/35] ref fixes --- source | 633 +++++++++++++++++++++++++++++++-------------------------- 1 file changed, 348 insertions(+), 285 deletions(-) diff --git a/source b/source index bda1375d895..df8bc997779 100644 --- a/source +++ b/source @@ -3337,6 +3337,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
          7. The attribute change steps hook for attributes
          8. The value concept for attributes
          9. The local name concept for attributes
            10. +
          10. The namespace concept for attributes
          11. The attribute list concept
          12. The data of a CharacterData node and its replace data algorithm
            13. @@ -124704,10 +124705,10 @@ partial interface ShadowRoot { enum SanitizerPresets { "default" }; dictionary SetHTMLOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; }; dictionary SetHTMLUnsafeOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; }; dictionary GetHTMLOptions { @@ -125755,15 +125756,16 @@ interface Sanitizer { instruction with pi.

          13. If configuration["processingInstructions"] - exists, then:

            + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] exists, then:

            1. If configuration["processingInstructions"] - contains pi, then return false.

              2. + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] contains pi, then return false.

              -

            2. Append pi to configuration["

              Append pi to + configuration["processingInstructions"].

            3. Return true.

              4. @@ -125775,10 +125777,10 @@ interface Sanitizer {

              1. If configuration["removeProcessingInstructions"] - contains pi, then:

                + contains pi, then:

                  -

                1. Remove the item from configuration["

                  Remove the item from configuration["removeProcessingInstructions"] whose target member is pi's target @@ -125806,16 +125808,16 @@ interface Sanitizer { instruction with pi.

                2. If configuration["processingInstructions"] - exists, then:

                  + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions                  "] exists, then:

                  1. If configuration["processingInstructions"] - contains pi, then:

                    + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions                    "] contains pi, then:

                      -

                    1. Remove the item from configuration["

                      Remove the item from configuration["processingInstructions"] whose target member is pi's target @@ -125834,9 +125836,10 @@ interface Sanitizer {

                      1. If configuration["removeProcessingInstructions"] - contains pi, then return false.

                        2. + contains pi, then return false.

                        -

                      2. Append pi to configuration["

                        Append pi to + configuration["removeProcessingInstructions"].

                      3. Return true.

                        4. @@ -125854,7 +125857,8 @@ interface Sanitizer {

                      4. Canonicalize the configuration configuration with allowCommentsPIsAndDataAttributes.

                        5. -

                      5. If configuration is not valid, then return false.

                        6. +

                      6. If configuration is not valid, + then return false.

                      7. Set sanitizer's configuration to configuration.

                        8. @@ -125868,8 +125872,8 @@ interface Sanitizer { configuration with a boolean allowCommentsPIsAndDataAttributes:

                          -

                        1. For each member of configuration that is a list of - strings:

                          +

                        2. For each member of configuration + that is a list of strings:

                          1. Replace each string in member with the result of canonicalizing it using the appropriate algorithm (e.g., canonicalize a sanitizer element or @@ -125878,20 +125882,20 @@ interface Sanitizer {

                          2. If configuration["elements"] - exists, then:

                            + exists, then:

                              -

                            1. For each element in configuration["elements"]:

                              +

                            2. For each element in + configuration["elements"]:

                              1. If element["attributes"] - exists, replace each attribute with the result of canonicalize a sanitizer - attribute.

                                2. + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes                                "] exists, replace each attribute with the result of + canonicalize a sanitizer attribute.

                              2. If element["removeAttributes"] - exists, replace each attribute with the result of canonicalize a sanitizer - attribute.

                                3. + exists, replace each attribute with the result of + canonicalize a sanitizer attribute.

                            @@ -125899,14 +125903,14 @@ interface Sanitizer {

                          3. If neither configuration["elements"] nor configuration["removeElements"] exists, then set - configuration["removeElements"] exists, then set configuration["removeElements"] to an empty list.

                          4. If neither configuration["attributes"] nor configuration["removeAttributes"] exists, then - set configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to an empty list.

                            5. @@ -125914,7 +125918,7 @@ interface Sanitizer { data-x="dom-SanitizerConfig-processingInstructions">processingInstructions                            "] nor configuration["removeProcessingInstructions"] - exists, then:

                            + exists, then:

                            1. If allowCommentsPIsAndDataAttributes is true, then set configuration["Sanitizer configuration 

                              dictionary SanitizerElementNamespace {
-  required DOMString name;
-  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
+  required DOMString name;
+  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
 };
 
 // Used by "elements"
 dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
-  sequence<SanitizerAttribute> attributes;
-  sequence<SanitizerAttribute> removeAttributes;
+  sequence<SanitizerAttribute> attributes;
+  sequence<SanitizerAttribute> removeAttributes;
 };
 
 typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
 typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
 
 dictionary SanitizerProcessingInstruction {
-  required DOMString target;
+  required DOMString target;
 };
 
 typedef (DOMString or SanitizerProcessingInstruction) SanitizerPI;
 
 dictionary SanitizerAttributeNamespace {
-  required DOMString name;
-  DOMString? _namespace = null;
+  required DOMString name;
+  DOMString? _namespace = null;
 };
 typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;
 
 dictionary SanitizerConfig {
-  sequence<SanitizerElementWithAttributes> elements;
-  sequence<SanitizerElement> removeElements;
-  sequence<SanitizerElement> replaceWithChildrenElements;
+  sequence<SanitizerElementWithAttributes> elements;
+  sequence<SanitizerElement> removeElements;
+  sequence<SanitizerElement> replaceWithChildrenElements;
 
-  sequence<SanitizerPI> processingInstructions;
-  sequence<SanitizerPI> removeProcessingInstructions;
+  sequence<SanitizerProcessingInstruction> processingInstructions;
+  sequence<SanitizerProcessingInstruction> removeProcessingInstructions;
 
-  sequence<SanitizerAttribute> attributes;
-  sequence<SanitizerAttribute> removeAttributes;
+  sequence<SanitizerAttribute> attributes;
+  sequence<SanitizerAttribute> removeAttributes;
 
-  boolean comments;
-  boolean dataAttributes;
+  boolean comments;
+  boolean dataAttributes;
 };
                              TODO @@ -126272,10 +126276,11 @@ dictionary SanitizerConfig {

                              1. Let config be this's configuration.

                                2. -

                              2. Assert: config is valid.

                                3. +

                              3. Assert: config is valid.

                                4. -

                              4. If config["elements"] - exists, then:

                                +

                              5. If config["elements"] exists, then:

                                1. For any element of config["SanitizerConfig {

                                  1. If element["attributes"] - exists, then set element["attributes"] exists, then set element["attributes"] to the result of sort in ascending order element["attributes"], with @@ -126292,7 +126297,7 @@ dictionary SanitizerConfig {

                                  2. If element["removeAttributes"] - exists, then set element["exists, then set element["removeAttributes"] to the result of sort in ascending order element["SanitizerConfig {

                                  3. If config["replaceWithChildrenElements"] - exists, then set config["exists, then set config["replaceWithChildrenElements"] to the result of sort in ascending order config["replaceWithChildrenElements"], with elementA being less than item elementB.

                                  4. If config["processingInstructions"] - exists, then set config["processingInstructions"] exists, then set config["processingInstructions"] to the result of sort in ascending order config["processingInstructions"], with piA["target"] being - ASCII code unit less than piB["code unit less than piB["target"].

                                  5. Otherwise:

                                    @@ -126344,13 +126349,13 @@ dictionary SanitizerConfig { config["removeProcessingInstructions"], with piA["target"] - being ASCII code unit less than piB["code unit less than piB["target"].

                                2. If config["attributes"] - exists, then set config["exists, then set config["attributes"] to the result of sort in ascending order config["attributes"], with attrA being @@ -126374,27 +126379,35 @@ dictionary SanitizerConfig {

                                  An item itemA is less than item itemB if:

                                    -

                                  1. If itemA's namespace member is null, then:

                                    +

                                  2. Let namespaceA be itemA["_namespace"].

                                    + +

                                  3. Let namespaceB be itemB["_namespace"].

                                    + +

                                  4. If namespaceA is null, then:

                                      -

                                    1. If itemB's namespace member is not null, then return - true.

                                      2. +

                                    2. If namespaceB is not null, then return true.

                                    5. -

                                  5. Otherwise:

                                    +
                                  6. +

                                    Otherwise:

                                      -

                                    1. If itemB's namespace member is null, then return false.

                                      2. +

                                    2. If namespaceB member is null, then return false.

                                      3. -

                                    3. If itemA's namespace member is ASCII code unit less - than itemB's namespace member, then return true.

                                      4. +

                                    4. If namespaceA is code unit less than namespaceB, then + return true.

                                      5. -

                                    5. If itemA's namespace member is not equal to itemB's - namespace member, then return false.

                                      6. +

                                    6. If namespaceA is not namespaceB, then return false.

                                    7. -

                                  7. Return itemA's name member is ASCII code unit less - than itemB's name member.

                                    8. +

                                  8. If itemA["name"] is + code unit less than itemA["name"], return true.

                                    9. + +

                                  9. Return false.

      @@ -126406,13 +126419,14 @@ dictionary SanitizerConfig {

      1. Let configuration be this's configuration.

        2. -

      2. Assert: configuration is valid.

        3. +

      3. Assert: configuration is valid.

      4. Set element to the result of canonicalize a sanitizer element with attributes with element.

      5. If configuration["elements"] - exists, then:

        + exists, then:

        1. Let modified be the result of SanitizerConfig/remove @@ -126420,12 +126434,13 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements"].

        2. If configuration["attributes"] exists, then:

          + data-x="dom-SanitizerConfig-attributes">attributes          "] exists, then:

          1. If element["attributes"] - exists, then:

            + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes            "] exists, then:

            1. Set element["SanitizerConfig { data-x="dom-SanitizerConfig-attributes">attributes"].

            2. If configuration["dataAttributes"] is true, then - remove all items item from element["dataAttributes"] is true, then remove all items item from element["attributes"] where item is a custom data attribute.

            @@ -126450,7 +126465,7 @@ dictionary SanitizerConfig {

          2. If element["removeAttributes"] - exists, then:

            + exists, then:

            1. Set element["SanitizerConfig {

              1. If element["attributes"] - exists, then:

                + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes                "] exists, then:

                1. Set element["SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] (or an empty list if it does not exist).

                  2. -

                2. Remove element["

                  Remove element["removeAttributes"].

                3. Set element["SanitizerConfig {

                4. If element["removeAttributes"] - exists, then:

                  + exists, then:

                  1. Set element["SanitizerConfig {

                  2. If configuration["elements"] does not contain - element, then:

                    + data-x="dom-SanitizerConfig-elements">elements                    "] does not contain element, then:

                      -

                    1. Append element to configuration["

                      Append element to + configuration["elements"].

                    2. Return true.

                      3. @@ -126550,7 +126566,8 @@ dictionary SanitizerConfig { configuration["elements"].

                      -

                    3. Append element to configuration["

                      Append element to + configuration["elements"].

                    4. Return true.

                      5. @@ -126561,8 +126578,8 @@ dictionary SanitizerConfig {

                      1. If element["attributes"] - exists or element["attributes"] exists or element["removeAttributes"] (or an empty list if it does not exist) is not empty, then return false.

                        2. @@ -126571,8 +126588,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements                        "].

                      2. If configuration["removeElements"] does not - contain element, then return modified.

                        3. + data-x="dom-SanitizerConfig-removeElements">removeElements                        "] does not contain element, then return modified.

                      3. SanitizerConfig/remove element from configuration["SanitizerConfig {

                        1. Let configuration be this's configuration.

                          2. -

                        2. Assert: configuration is valid.

                          3. +

                        3. Assert: configuration is valid.

                        4. Set element to the result of canonicalize a sanitizer element with element.

                          5. -

                        5. If the built-in non-replaceable elements list contains - element, then return false.

                          6. +

                        6. If the built-in non-replaceable elements list contains element, then return false.

                        7. Let modified be the result of SanitizerConfig/remove element from configuration["SanitizerConfig {

                        8. If configuration["replaceWithChildrenElements"] - does not contain element, then:

                          + does not contain element, then:

                            -

                          1. Append element to configuration["

                            Append element to + configuration["replaceWithChildrenElements"].

                          2. Return true.

                            3. @@ -126640,13 +126659,15 @@ dictionary SanitizerConfig {

                            1. Let configuration be this's configuration.

                              2. -

                            2. Assert: configuration is valid.

                              3. +

                            3. Assert: configuration is valid.

                            4. Set attribute to the result of canonicalize a sanitizer attribute with attribute.

                            5. If configuration["attributes"] exists, then:

                              + data-x="dom-SanitizerConfig-attributes">attributes                              "] exists, then:

                              1. If configuration["SanitizerConfig { attribute is a custom data attribute, then return false.

                              2. If configuration["attributes"] contains - attribute, then return false.

                                3. + data-x="dom-SanitizerConfig-attributes">attributes                                "] contains attribute, then return false.

                              3. If configuration["elements"] exists, then:

                                + data-x="dom-SanitizerConfig-elements">elements                                "] exists, then:

                                  -

                                1. For each element in configuration["elements"]:

                                  +

                                2. For each element in + configuration["elements"]:

                                  1. If element["attributes"] (or an - empty list if it does not exist) contains attribute, then - remove attribute from element["contains + attribute, then remove attribute + from element["attributes"].

                                4. -

                              4. Append attribute to configuration["

                                Append attribute to + configuration["attributes"].

                              5. Return true.

                                6. @@ -126686,8 +126710,8 @@ dictionary SanitizerConfig {

                                1. If configuration["removeAttributes"] does not - contain attribute, then return false.

                                  2. + data-x="dom-SanitizerConfig-removeAttributes">removeAttributes                                  "] does not contain attribute, then return false.

                                2. SanitizerConfig/remove attribute from configuration["SanitizerConfig {

                                  1. Let configuration be this's configuration.

                                    2. -

                                  2. Assert: configuration is valid.

                                    3. +

                                  3. Assert: configuration is valid.

                                  4. If configuration["comments"] - exists and is equal to allow, then return false.

                                    5. + exists and is equal to allow, then return + false.

                                  5. Set configuration["comments"] to allow.

                                    6. @@ -126734,31 +126760,34 @@ dictionary SanitizerConfig {

                                    1. Let configuration be this's configuration.

                                      2. -

                                    2. Assert: configuration is valid.

                                      3. +

                                    3. Assert: configuration is valid.

                                    4. If configuration["dataAttributes"] exists and is - equal to allow, then return false.

                                      5. + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes                                      "] exists and is equal to allow, then return false.

                                    5. If allow is false and configuration["attributes"] exists, then:

                                      + data-x="dom-SanitizerConfig-attributes">attributes                                      "] exists, then:

                                        -

                                      1. For each element in configuration["elements"] (or an empty list if it does not - exist):

                                        +

                                      2. For each element in + configuration["elements"] (or an + empty list if it does not exist):

                                          -

                                        1. Remove all items item from element["

                                          Remove all items item from + element["attributes"] (or an empty list if it does not exist) where item is a custom data attribute.

                                        3. -

                                      3. Remove all items item from configuration["attributes"] where item is a - custom data attribute.

                                        4. +

                                      4. Remove all items item from + configuration["attributes"] + where item is a custom data attribute.

                                      6. @@ -126785,8 +126814,9 @@ dictionary SanitizerConfig { and a boolean safe:

                                        -

                                      1. If safe is true, contextElement's local name is "script", and contextElement's namespace is the +

                                      2. If safe is true, contextElement's local name is "script", and + contextElement's namespace is the HTML namespace or the SVG namespace, then return.

                                      3. Let sanitizer be the result of calling get a sanitizer instance from @@ -126798,8 +126828,8 @@ dictionary SanitizerConfig {

                                      4. Let fragment be a new DocumentFragment whose node document is contextElement's node document.

                                        5. -

                                      5. For each node in newChildren, append node to fragment.

                                        6. +

                                      6. For each node in newChildren, + append node to fragment.

                                      7. Call sanitize on fragment with sanitizer and safe.

                                        8. @@ -126818,8 +126848,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerPresets-default">default                                        ".

                                      8. If options["sanitizer"] - exists, then set sanitizerSpec to options["sanitizer"].

                                        9. + exists, then set sanitizerSpec to + options["sanitizer"].

                                      9. Assert: sanitizerSpec is either a Sanitizer instance, a SanitizerPresets member, or a SanitizerConfig dictionary.

                                        10. @@ -126860,7 +126890,8 @@ dictionary SanitizerConfig {

                                      10. Let configuration be sanitizer's configuration.

                                        11. -

                                      11. Assert: configuration is valid.

                                        12. +

                                      12. Assert: configuration is valid.

                                      13. If safe is true, then set configuration to the result of calling remove unsafe on configuration.

                                        14. @@ -126877,7 +126908,8 @@ dictionary SanitizerConfig { node. It consists of these steps:

                                          -

                                        1. For each child of node's children:

                                          +

                                        2. For each child of node's + children:

                                          1. Assert: child is a Text, Comment, @@ -126893,8 +126925,8 @@ dictionary SanitizerConfig {

                                            1. If configuration["comments"] is not true, then remove - child.

                                              2. + data-x="dom-SanitizerConfig-comments">comments"] is not true, then remove child.

                                            2. @@ -126904,14 +126936,14 @@ dictionary SanitizerConfig {

                                          2. Let piTarget be child's target.

                                          3. If configuration["processingInstructions"] - exists, then:

                                            + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions                                            "] exists, then:

                                            1. If configuration["processingInstructions"] does - not contain piTarget, then remove - child.

                                              2. + not contain piTarget, then remove child.

                                            4. @@ -126919,8 +126951,8 @@ dictionary SanitizerConfig {

                                            1. If configuration["removeProcessingInstructions"] - contains piTarget, then remove - child.

                                              2. + contains piTarget, then remove child.

                                          @@ -126929,13 +126961,14 @@ dictionary SanitizerConfig {

                                        3. Otherwise:

                                          1. Let elementName be a SanitizerElementNamespace with - child's local name and namespace.

                                            2. + child's local name and namespace.

                                          2. If configuration["replaceWithChildrenElements"] - exists and configuration["exists and configuration["replaceWithChildrenElements"] - contains elementName, then:

                                            + contains elementName, then:

                                            1. Assert: node is not a Document.

                                              2. @@ -126951,22 +126984,23 @@ dictionary SanitizerConfig {

                                            2. If configuration["elements"] exists, then:

                                              + data-x="dom-SanitizerConfig-elements">elements                                              "] exists, then:

                                              1. If configuration["elements"] does not contain - elementName, then remove child and - continue.

                                                2. + data-x="dom-SanitizerConfig-elements">elements"] does not contain elementName, then remove child and continue.

                                            3. Otherwise:

                                              1. If configuration["removeElements"] contains - elementName, then remove child and - continue.

                                                2. + data-x="dom-SanitizerConfig-removeElements">removeElements"] contains elementName, then remove child and continue.

                                              4. @@ -126982,37 +127016,43 @@ dictionary SanitizerConfig {

                                            4. Let elementWithLocalAttributes be null.

                                            5. If configuration["elements"] exists and - configuration["elements"] - contains elementName, then set elementWithLocalAttributes - to configuration["elements"] exists and configuration["elements"] contains elementName, then set + elementWithLocalAttributes to configuration["elements"][elementName].

                                              6. -

                                            6. For each attribute in child's attribute - list:

                                              +

                                            7. For each attribute in child's + attribute list:

                                              1. Let attrName be a SanitizerAttributeNamespace with - attribute's local name and namespace.

                                                2. + attribute's local name and + namespace.

                                              2. If elementWithLocalAttributes["removeAttributes"] - exists and elementWithLocalAttributes["exists and elementWithLocalAttributes["removeAttributes"] - contains attrName, then remove an attribute - attribute.

                                                3. + contains attrName, then remove an + attribute attribute.

                                              3. Otherwise, if configuration["attributes"] exists, then:

                                                + data-x="dom-SanitizerConfig-attributes">attributes                                                "] exists, then:

                                                1. If configuration["attributes"] does not contain - attrName and elementWithLocalAttributes["attributes"] does not contain attrName and + elementWithLocalAttributes["attributes"] does - not contain attrName, and if "data-" is - not a prefix of attribute's local name or attribute's - namespace is not null or configuration["contain attrName, and if "data-" is not a prefix of attribute's local name or attribute's namespace is not null or + configuration["dataAttributes"] is not true, then remove an attribute attribute.

                                                @@ -127021,16 +127061,16 @@ dictionary SanitizerConfig {

                                              4. Otherwise:

                                                1. If elementWithLocalAttributes["attributes"] - exists and elementWithLocalAttributes["attributes"] exists and elementWithLocalAttributes["attributes"] does - not contain attrName, then remove an attribute - attribute.

                                                  2. + not contain attrName, then remove an + attribute attribute.

                                                2. Otherwise, if configuration["removeAttributes"] - contains attrName, then remove an attribute - attribute.

                                                  3. + data-x="dom-SanitizerConfig-removeAttributes">removeAttributes                                                  "] contains attrName, then remove an + attribute attribute.

                                                5. @@ -127041,17 +127081,19 @@ dictionary SanitizerConfig { contains a javascript: URL, then remove an attribute attribute.

                                                -

                                              5. If child's namespace is the MathML Namespace, - attribute's local name is "href", and - attribute's namespace is null or the XLink - namespace, and attribute contains a javascript: URL, then - remove an attribute attribute.

                                                6. - -

                                              6. If the built-in animating URL attributes list contains - the pair (elementName, attrName), and attribute's - value is "href" or "xlink:href", then remove an attribute +

                                              7. If child's namespace is + the MathML Namespace, attribute's local name is "href", + and attribute's namespace is + null or the XLink namespace, and attribute contains a + javascript: URL, then remove an attribute attribute.

                                                8. + +

                                              8. If the built-in animating URL attributes list contains the pair (elementName, attrName), and + attribute's value is "href" or "xlink:href", then remove an + attribute attribute.

                                            @@ -127072,7 +127114,7 @@ dictionary SanitizerConfig {

                                            1. Let url be the result of running the basic URL parser on - attribute's value.

                                              2. + attribute's value.

                                            2. If url is failure, then return false.

                                              3. @@ -127230,7 +127272,8 @@ dictionary SanitizerConfig { configuration:

                                                -

                                              1. Assert: configuration is valid.

                                                2. +

                                              2. Assert: configuration is valid.

                                              3. Set element to the result of canonicalize a sanitizer element with element.

                                                4. @@ -127240,12 +127283,12 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements                                                "].

                                              4. If configuration["elements"] - exists, then:

                                                + exists, then:

                                                1. If configuration["elements"] contains - element, then:

                                                  + data-x="dom-SanitizerConfig-elements">elements"] contains element, then:

                                                  1. SanitizerConfig/remove element from @@ -127264,10 +127307,11 @@ dictionary SanitizerConfig {

                                                    1. If configuration["removeElements"] contains - element, then return modified.

                                                      2. + data-x="dom-SanitizerConfig-removeElements">removeElements"] contains element, then return modified.

                                                      -

                                                    2. Append element to configuration["

                                                      Append element to + configuration["removeElements"].

                                                    3. Return true.

                                                      4. @@ -127281,13 +127325,15 @@ dictionary SanitizerConfig { configuration:

                                                        -

                                                      1. Assert: configuration is valid.

                                                        2. +

                                                      2. Assert: configuration is valid.

                                                      3. Set attribute to the result of canonicalize a sanitizer attribute with attribute.

                                                      4. If configuration["attributes"] exists, then:

                                                        + data-x="dom-SanitizerConfig-attributes">attributes                                                        "] exists, then:

                                                        1. Let modified be the result of SanitizerConfig/remove @@ -127295,34 +127341,38 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-attributes">attributes"].

                                                        2. If configuration["elements"] exists, then:

                                                          + data-x="dom-SanitizerConfig-elements">elements"] exists, then:

                                                            -

                                                          1. For each element of configuration["elements"]:

                                                            +

                                                          2. For each element of + configuration["elements"]:

                                                            1. If element["attributes"] (or an - empty list if it does not exist) contains attribute, then:

                                                              + empty list if it does not exist) contains + attribute, then:

                                                              1. Set modified to true.

                                                                2. -

                                                              2. Remove attribute from element["

                                                                Remove attribute from + element["attributes"].

                                                            2. If element["removeAttributes"] - (or an empty list if it does not exist) contains attribute, - then:

                                                              + (or an empty list if it does not exist) contains + attribute, then:

                                                              1. Assert: modified is true.

                                                                2. -

                                                              2. Remove attribute from element["

                                                                Remove attribute from + element["removeAttributes"].

                                                              3. @@ -127339,34 +127389,38 @@ dictionary SanitizerConfig {

                                                              1. If configuration["removeAttributes"] contains - attribute, then return false.

                                                                2. + data-x="dom-SanitizerConfig-removeAttributes">removeAttributes                                                                "] contains attribute, then return false.

                                                              2. If configuration["elements"] exists, then:

                                                                + data-x="dom-SanitizerConfig-elements">elements                                                                "] exists, then:

                                                                  -

                                                                1. For each element in configuration["elements"]:

                                                                  +

                                                                2. For each element in + configuration["elements"]:

                                                                  1. If element["attributes"] (or an - empty list if it does not exist) contains attribute, then - remove attribute from element["contains + attribute, then remove attribute + from element["attributes"].

                                                                  2. If element["removeAttributes"] - (or an empty list if it does not exist) contains attribute, then - remove attribute from element["contains + attribute, then remove attribute + from element["removeAttributes"].

                                                                3. -

                                                              3. Append attribute to configuration["

                                                                Append attribute to + configuration["removeAttributes"].

                                                              4. Return true.

                                                                5. @@ -127379,12 +127433,13 @@ dictionary SanitizerConfig {

                                                                To remove unsafe from a SanitizerConfig configuration:

                                                                  -

                                                                1. Assert: configuration is valid.

                                                                  2. +

                                                                2. Assert: configuration is valid.

                                                                3. Let result be false.

                                                                  4. -

                                                                4. For each element in built-in safe baseline - configuration["

                                                                  For each element in built-in safe + baseline configuration["removeElements"]:

                                                                    @@ -127393,8 +127448,8 @@ dictionary SanitizerConfig {
                                                                  5. -

                                                                5. For each attribute in built-in safe baseline - configuration["

                                                                  For each attribute in built-in safe + baseline configuration["removeAttributes"]:

                                                                    @@ -127403,8 +127458,8 @@ dictionary SanitizerConfig {
                                                                  6. -

                                                                6. For each attribute that is an event handler content - attribute:

                                                                  +

                                                                7. For each attribute that is an event + handler content attribute:

                                                                  1. If remove an attribute attribute from configuration @@ -127422,7 +127477,7 @@ dictionary SanitizerConfig {

                                                                    1. Let removed be false.

                                                                      2. -

                                                                    2. For each entry of list:

                                                                      +

                                                                    3. For each entry of list:

                                                                      1. If item's name @@ -127433,7 +127488,8 @@ dictionary SanitizerConfig { member, then:

                                                                          -

                                                                        1. Remove entry from list.

                                                                          2. +

                                                                        2. remove entry from + list.

                                                                        3. Set removed to true.

                                                                        @@ -127449,9 +127505,10 @@ dictionary SanitizerConfig {

                                                                        To SanitizerConfig/add a name to a list list:

                                                                          -

                                                                        1. If list contains name, then return.

                                                                          2. +

                                                                        2. If list contains name, then + return.

                                                                          3. -

                                                                        3. Append name to list.

                                                                          4. +

                                                                        4. Append name to list.

      5. @@ -127467,18 +127524,19 @@ dictionary SanitizerConfig {

      1. If element["attributes"] - exists, then:

        + data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes        "] exists, then:

        1. Let attributes be an empty list.

          2. -

        2. For each attribute of element["

          For each attribute of + element["attributes"]:

            -

          1. Append the result of canonicalize a sanitizer attribute - with attribute to attributes.

            2. +

          2. Append the result of canonicalize a + sanitizer attribute with attribute to attributes.

          3. @@ -127490,17 +127548,18 @@ dictionary SanitizerConfig {

        3. If element["removeAttributes"] - exists, then:

          + exists, then:

          1. Let attributes be an empty list.

            2. -

          2. For each attribute of element["

            For each attribute of + element["removeAttributes"]:

              -

            1. Append the result of canonicalize a sanitizer attribute - with attribute to attributes.

              2. +

            2. Append the result of canonicalize a + sanitizer attribute with attribute to attributes.

            3. @@ -127516,7 +127575,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] nor result["removeAttributes"] - exists, then set result["exists, then set result["removeAttributes"] to an empty list.

            @@ -127534,36 +127593,37 @@ dictionary SanitizerConfig {

            1. Assert: config["elements"] exists or - config["removeElements"] - exists.

              2. + data-x="dom-SanitizerConfig-elements">elements              "] exists + or config["removeElements"] + exists.

              -

            2. If config["elements"] - exists and config["removeElements"] exists, then - return false.

              3. +

            3. If config["elements"] exists and config["removeElements"] exists, then return false.

            4. Assert: Either config["processingInstructions"] - exists or config["processingInstructions"] exists or config["removeProcessingInstructions"] - exists.

              5. + exists.

            5. If config["processingInstructions"] - exists and config["processingInstructions"] exists and config["removeProcessingInstructions"] - exists, then return false.

              6. + exists, then return false.

            6. Assert: Either config["attributes"] exists or - config["removeAttributes"] - exists.

              7. + data-x="dom-SanitizerConfig-attributes">attributes              "] exists or config["removeAttributes"] exists.

            7. If config["attributes"] - exists and config["removeAttributes"] exists, then - return false.

              8. + exists and config["removeAttributes"] exists, then return false.

            8. Assert: All SanitizerElementNamespaceWithAttributes, SanitizerElementNamespace, SanitizerProcessingInstruction, and @@ -127572,8 +127632,8 @@ dictionary SanitizerConfig { sanitizer processing instruction, or canonicalize a sanitizer attribute, as appropriate.

              9. -

            9. If config["elements"] - exists:

              +

            10. If config["elements"] exists:

              1. If config["elements"] has duplicates, then return false.

                2. @@ -127590,11 +127650,12 @@ dictionary SanitizerConfig {

              2. If config["replaceWithChildrenElements"] - exists and has duplicates, then return false.

                3. + exists and has duplicates, then return + false.

              3. If config["processingInstructions"] - exists:

                + data-x="dom-SanitizerConfig-processingInstructions">processingInstructions"] exists:

                1. If config["processingInstructions"] has @@ -127611,7 +127672,7 @@ dictionary SanitizerConfig {

                2. If config["attributes"] - exists:

                  + exists:

                  1. If config["attributes"] has duplicates, then return false.

                    2. @@ -127628,18 +127689,19 @@ dictionary SanitizerConfig {

                  2. If config["replaceWithChildrenElements"] - exists:

                    + exists:

                      -

                    1. For each element of config["

                      For each element of + config["replaceWithChildrenElements"]:

                        -

                      1. If the built-in non-replaceable elements list contains - element, then return false.

                        2. +

                      2. If the built-in non-replaceable elements list contains element, then return false.

                    2. If config["elements"] - exists:

                      + exists:

                      1. If the intersection of config["elements"] and config["SanitizerConfig {

                      2. If config["attributes"] - exists:

                        + exists:

                        1. Assert: config["dataAttributes"] - exists.

                          2. + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes                          "] exists.

                        2. If config["elements"] - exists:

                          + exists:

                            -

                          1. For each element of config["elements"]:

                            +

                          2. For each element of + config["elements"]:

                            1. If element["attributes"] - exists and element["attributes"] exists and element["attributes"] has duplicates, then return false.

                            2. If element["removeAttributes"] - exists and element["exists and element["removeAttributes"] has duplicates, then return false.

                              3. @@ -127716,26 +127778,26 @@ dictionary SanitizerConfig {

                            3. Otherwise:

                              1. If config["elements"] - exists:

                                + exists:

                                  -

                                1. For each element of config["elements"]:

                                  +

                                2. For each element of + config["elements"]:

                                  1. If element["attributes"] - exists and element["attributes"] exists and element["removeAttributes"] - exists, then return false.

                                    2. + exists, then return false.

                                  2. If element["attributes"] - exists and element["attributes"] exists and element["attributes"] has duplicates, then return false.

                                  3. If element["removeAttributes"] - exists and element["exists and element["removeAttributes"] has duplicates, then return false.

                                    4. @@ -127756,8 +127818,8 @@ dictionary SanitizerConfig {

                                  4. If config["dataAttributes"] exists, then - return false.

                                    5. + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes                                    "] exists, then return false.

                                  3. @@ -127776,10 +127838,11 @@ dictionary SanitizerConfig {

                                  1. Let result be an empty list.

                                    2. -

                                  2. For each item of list:

                                    +

                                  3. For each item of list:

                                      -

                                    1. If result does not contain item, then - append item to result.

                                      2. +

                                    2. If result does not contain + item, then append item to + result.

                                    4. @@ -127811,10 +127874,10 @@ dictionary SanitizerConfig {

                                    1. Let result be an empty list.

                                      2. -

                                    2. For each item of A:

                                      +

                                    3. For each item of A:

                                        -

                                      1. If B does not contain item, then append - item to result.

                                        2. +

                                      2. If B does not contain item, + then append item to result.

                                      4. From 97992e87a0c18e7935496245154ca5f69d16adab Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 15:55:45 +0100 Subject: [PATCH 08/35] refs --- source | 85 +++++++++++++++++++++++++--------------------------------- 1 file changed, 36 insertions(+), 49 deletions(-) diff --git a/source b/source index df8bc997779..2abdf62e89d 100644 --- a/source +++ b/source @@ -3425,6 +3425,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
                                    4. valid attribute local name
                                    5. valid element local name
                                    6. is a global custom element registry
                                      7. +
                                    7. processing instrucion target

                                      8. The following features are defined in UI Events: UIEVENTS

                                      @@ -124703,12 +124704,12 @@ partial interface ShadowRoot { [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML; }; -enum SanitizerPresets { "default" }; +enum SanitizerPresets { "default" }; dictionary SetHTMLOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; }; dictionary SetHTMLUnsafeOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; }; dictionary GetHTMLOptions { @@ -125695,10 +125696,10 @@ interface XMLSerializer { data-x="dom-DOMParser-parseFromString">parseFromString()                                      .

                                      -

                                      The Sanitizer interface

                                      +

                                      The Sanitizer interface

                                      [Exposed=Window]
-interface Sanitizer {
+interface Sanitizer {
   constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");
 
   // Query configuration:
@@ -125719,7 +125720,7 @@ interface Sanitizer {
   boolean removeUnsafe();
 };
                                      -

                                      A Sanitizer has an associated configuration (a +

                                      A Sanitizer has an associated configuration (a SanitizerConfig).

                                      @@ -125783,8 +125784,7 @@ interface Sanitizer {

                                    8. Remove the item from configuration["removeProcessingInstructions"] whose target member is - pi's target - member.

                                      9. + pi's target.

                                    9. Return true.

                                    @@ -125820,8 +125820,7 @@ interface Sanitizer {

                                  4. Remove the item from configuration["processingInstructions"] whose target member is - pi's target - member.

                                    5. + pi's target.

                                  5. Return true.

                                  @@ -125850,7 +125849,7 @@ interface Sanitizer {

                                  To set a configuration, given a dictionary configuration, - a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer + a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer sanitizer:

                                    @@ -125932,10 +125931,10 @@ interface Sanitizer {

                                  1. If configuration["comments"] - does not exist, set it to allowCommentsPIsAndDataAttributes.

                                    2. + does not exist, set it to allowCommentsPIsAndDataAttributes.

                                  2. If configuration["dataAttributes"] does not exist, + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes"] does not exist, set it to allowCommentsPIsAndDataAttributes.

                                  @@ -126033,10 +126032,10 @@ dictionary SanitizerConfig {

                                  Configurations can and ought to be modified by developers to suit their purposes. Options are to write a new SanitizerConfig dictionary from scratch, to modify an existing - Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's + Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's configuration as a dictionary and modify the dictionary and then create a new - Sanitizer with it.

                                  + Sanitizer with it.

                                  An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "SanitizerConfig { steps are:

                                  Outside of the get() method, the order of - the Sanitizer's elements and attributes is unobservable. By explicitly sorting the + the Sanitizer's elements and attributes is unobservable. By explicitly sorting the result of this method, we give implementations the opportunity to optimize by, for example, using unordered sets internally.

                                  @@ -126283,7 +126282,7 @@ dictionary SanitizerConfig { data-x="map exists">exists, then:

                                    -

                                  1. For any element of config["

                                    For any element of config["elements"]:

                                      @@ -126316,7 +126315,7 @@ dictionary SanitizerConfig {

                                    1. Otherwise:

                                      1. Set config["removeElements"] to the result of sort + data-x="dom-SanitizerConfig-removeElements">removeElements"] to the result of sort in ascending order config["removeElements"], with elementA being less than item elementB.

                                        2. @@ -126356,7 +126355,7 @@ dictionary SanitizerConfig {

                                      2. If config["attributes"] exists, then set config["attributes"] to the result of sort in + data-x="dom-SanitizerConfig-attributes">attributes"] to the result of sort in ascending order config["attributes"], with attrA being less than item attrB.

                                        3. @@ -126851,7 +126850,7 @@ dictionary SanitizerConfig { exists, then set sanitizerSpec to options["sanitizer"].

                                        -

                                      3. Assert: sanitizerSpec is either a Sanitizer instance, +

                                      4. Assert: sanitizerSpec is either a Sanitizer instance, a SanitizerPresets member, or a SanitizerConfig dictionary.

                                      5. If sanitizerSpec is a string, then:

                                        @@ -126868,10 +126867,12 @@ dictionary SanitizerConfig {

                                      6. If sanitizerSpec is a dictionary, then:

                                          -

                                        1. Let sanitizer be a new Sanitizer instance.

                                          2. +

                                        2. Let sanitizer be a new Sanitizer instance.

                                          3. -

                                        3. If set a configuration sanitizerSpec with (not - safe) and sanitizer is false, then throw a +

                                        4. Let inverseSafe be true if safe is false; false otherwise. + +

                                        5. If the result of setting a configuration sanitizerSpec with (inverseSafe) + and sanitizer is false, then throw a TypeError.

                                        6. Set sanitizerSpec to sanitizer.

                                          7. @@ -126883,7 +126884,7 @@ dictionary SanitizerConfig {
                                          -

                                          To sanitize a ParentNode node with a Sanitizer +

                                          To sanitize a node node with a Sanitizer sanitizer and a boolean safe:

                                            @@ -126902,14 +126903,14 @@ dictionary SanitizerConfig {
                                          -

                                          The sanitize core operation, using a ParentNode node, a +

                                          The sanitize core operation, using a Node node, a SanitizerConfig configuration, and a boolean handleJavascriptNavigationUrls, recurses over the DOM tree beginning with node. It consists of these steps:

                                          1. For each child of node's - children:

                                            + children:

                                            1. Assert: child is a Text, Comment, @@ -126933,7 +126934,7 @@ dictionary SanitizerConfig {

                                            2. If child is a ProcessingInstruction node, then:

                                                -

                                              1. Let piTarget be child's target.

                                                2. +

                                              2. Let piTarget be child's target.

                                              3. If configuration["processingInstructions"] SanitizerConfig {

                                              4. Call sanitize core on child with configuration and handleJavascriptNavigationUrls.

                                                5. -

                                              5. Replace all with child's children within +

                                              6. Replace all with child's children within child.

                                              7. Continue.

                                                8. @@ -127118,7 +127119,8 @@ dictionary SanitizerConfig {

                                              8. If url is failure, then return false.

                                                9. -

                                              9. Return whether url's scheme is "

                                                Return whether url's scheme is "javascript".

                                          @@ -127184,7 +127186,7 @@ dictionary SanitizerConfig { intended to be a conservative subset of the web platform that is known to be safe. It is subject to change as the platform evolves.

                                          -

                                          The navigating URL attributes list is a list of pairs of a +

                                          The built-in navigating URL attributes list is a list of pairs of a SanitizerElementNamespace and a SanitizerAttributeNamespace:

                                            @@ -127210,7 +127212,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerAttributeNamespace-namespace">_namespace: null })

                                          -

                                          The animating URL attributes list is a list of pairs of a +

                                          The built-in animating URL attributes list is a list of pairs of a SanitizerElementNamespace and a SanitizerAttributeNamespace:

                                            @@ -127252,21 +127254,6 @@ dictionary SanitizerConfig { "http://www.w3.org/1999/xlink" })

                                          -

                                          The built-in non-replaceable elements list is a list of - SanitizerElementNamespace dictionaries:

                                          - -
                                            -

                                          • { name: "html", _namespace: HTML namespace - }

                                            • -

                                          • { name: "head", _namespace: HTML namespace - }

                                            • -

                                          • { name: "body", _namespace: HTML namespace - }

                                            • -
                                          -

                                          To remove an element element from a SanitizerConfig configuration:

                                          @@ -127458,7 +127445,7 @@ dictionary SanitizerConfig {
                                        7. -

                                      7. For each attribute that is an event +

                                      8. For each attribute that is an event handler content attribute:

                                          @@ -127858,7 +127845,7 @@ dictionary SanitizerConfig {

                                          The intersection of two lists A and B containing - SanitizerElement or SanitizerAttribute items is a list containing + SanitizerElement or SanitizerAttribute items is a list containing all items that are present in both A and B.

                                          From e4897dc87b604f7ac64fefc70a163c88d0e4edd5 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 16:05:22 +0100 Subject: [PATCH 09/35] Fix all refs --- source | 103 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 53 insertions(+), 50 deletions(-) diff --git a/source b/source index 2abdf62e89d..bf8408942c2 100644 --- a/source +++ b/source @@ -124706,10 +124706,10 @@ partial interface ShadowRoot { enum SanitizerPresets { "default" }; dictionary SetHTMLOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default"; }; dictionary SetHTMLUnsafeOptions { - (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; + (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {}; }; dictionary GetHTMLOptions { @@ -125696,31 +125696,31 @@ interface XMLSerializer { data-x="dom-DOMParser-parseFromString">parseFromString().

                                          -

                                          The Sanitizer interface

                                          +

                                          The Sanitizer interface

                                          [Exposed=Window]
-interface Sanitizer {
-  constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");
+interface Sanitizer {
+  constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");
 
   // Query configuration:
-  SanitizerConfig get();
+  SanitizerConfig get();
 
   // Modify a Sanitizer's lists and fields:
-  boolean allowElement(SanitizerElementWithAttributes element);
-  boolean removeElement(SanitizerElement element);
-  boolean replaceElementWithChildren(SanitizerElement element);
-  boolean allowProcessingInstruction(SanitizerPI pi);
-  boolean removeProcessingInstruction(SanitizerPI pi);
-  boolean allowAttribute(SanitizerAttribute attribute);
-  boolean removeAttribute(SanitizerAttribute attribute);
-  boolean setComments(boolean allow);
-  boolean setDataAttributes(boolean allow);
+  boolean allowElement(SanitizerElementWithAttributes element);
+  boolean removeElement(SanitizerElement element);
+  boolean replaceElementWithChildren(SanitizerElement element);
+  boolean allowProcessingInstruction(SanitizerProcessingInstruction pi);
+  boolean removeProcessingInstruction(SanitizerProcessingInstruction pi);
+  boolean allowAttribute(SanitizerAttribute attribute);
+  boolean removeAttribute(SanitizerAttribute attribute);
+  boolean setComments(boolean allow);
+  boolean setDataAttributes(boolean allow);
 
   // Remove markup that executes script.
-  boolean removeUnsafe();
+  boolean removeUnsafe();
 };
                                          -

                                          A Sanitizer has an associated configuration (a +

                                          A Sanitizer has an associated configuration (a SanitizerConfig).

                                          @@ -125784,7 +125784,8 @@ interface Sanitizer {

                                        1. Remove the item from configuration["removeProcessingInstructions"] whose target member is - pi's target.

                                          2. + pi's target.

                                        2. Return true.

                                        @@ -125820,7 +125821,8 @@ interface Sanitizer {

                                      9. Remove the item from configuration["processingInstructions"] whose target member is - pi's target.

                                        10. + pi's target.

                                      10. Return true.

                                      @@ -125849,7 +125851,7 @@ interface Sanitizer {

                                      To set a configuration, given a dictionary configuration, - a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer + a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer sanitizer:

                                        @@ -125931,11 +125933,12 @@ interface Sanitizer {

                                      1. If configuration["comments"] - does not exist, set it to allowCommentsPIsAndDataAttributes.

                                        2. + does not exist, set it to + allowCommentsPIsAndDataAttributes.

                                      2. If configuration["dataAttributes"] does not exist, - set it to allowCommentsPIsAndDataAttributes.

                                        3. + data-x="dom-SanitizerConfig-dataAttributes">dataAttributes                                        "] does not exist, set it to allowCommentsPIsAndDataAttributes.

                                      @@ -126032,10 +126035,10 @@ dictionary SanitizerConfig {

                                      Configurations can and ought to be modified by developers to suit their purposes. Options are to write a new SanitizerConfig dictionary from scratch, to modify an existing - Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's + Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's configuration as a dictionary and modify the dictionary and then create a new - Sanitizer with it.

                                      + Sanitizer with it.

                                      An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "SanitizerConfig { steps are:

                                      Outside of the get() method, the order of - the Sanitizer's elements and attributes is unobservable. By explicitly sorting the + the Sanitizer's elements and attributes is unobservable. By explicitly sorting the result of this method, we give implementations the opportunity to optimize by, for example, using unordered sets internally.

                                      @@ -126282,8 +126285,8 @@ dictionary SanitizerConfig { data-x="map exists">exists, then:

                                        -

                                      1. For any element of config["elements"]:

                                        +

                                      2. For any element of + config["elements"]:

                                        1. If element["SanitizerConfig {

                                        2. Otherwise:

                                          1. Set config["removeElements"] to the result of sort - in ascending order config["removeElements"] to the result of sort in ascending order config["removeElements"], with elementA being less than item elementB.

                                          @@ -126355,8 +126358,8 @@ dictionary SanitizerConfig {

                                        3. If config["attributes"] exists, then set config["attributes"] to the result of sort in - ascending order config["attributes"] to the result of sort in ascending order config["attributes"], with attrA being less than item attrB.

                                          4. @@ -126850,7 +126853,7 @@ dictionary SanitizerConfig { exists, then set sanitizerSpec to options["sanitizer"].

                                          -

                                        4. Assert: sanitizerSpec is either a Sanitizer instance, +

                                        5. Assert: sanitizerSpec is either a Sanitizer instance, a SanitizerPresets member, or a SanitizerConfig dictionary.

                                        6. If sanitizerSpec is a string, then:

                                          @@ -126867,13 +126870,13 @@ dictionary SanitizerConfig {

                                        7. If sanitizerSpec is a dictionary, then:

                                            -

                                          1. Let sanitizer be a new Sanitizer instance.

                                            2. +

                                          2. Let sanitizer be a new Sanitizer instance.

                                          3. Let inverseSafe be true if safe is false; false otherwise. -

                                          4. If the result of setting a configuration sanitizerSpec with (inverseSafe) - and sanitizer is false, then throw a - TypeError.

                                            5. +

                                          5. If the result of setting a configuration + sanitizerSpec with (inverseSafe) and sanitizer is false, then + throw a TypeError.

                                          6. Set sanitizerSpec to sanitizer.

                                          @@ -126884,7 +126887,7 @@ dictionary SanitizerConfig {
                                          -

                                          To sanitize a node node with a Sanitizer +

                                          To sanitize a node node with a Sanitizer sanitizer and a boolean safe:

                                            @@ -126909,8 +126912,8 @@ dictionary SanitizerConfig { node. It consists of these steps:

                                              -

                                            1. For each child of node's - children:

                                              +

                                            2. For each child of node's children:

                                              1. Assert: child is a Text, Comment, @@ -126934,7 +126937,8 @@ dictionary SanitizerConfig {

                                              2. If child is a ProcessingInstruction node, then:

                                                  -

                                                1. Let piTarget be child's target.

                                                  2. +

                                                2. Let piTarget be child's target.

                                                3. If configuration["processingInstructions"] SanitizerConfig {

                                                4. Call sanitize core on child with configuration and handleJavascriptNavigationUrls.

                                                  5. -

                                                5. Replace all with child's children within - child.

                                                  6. +

                                                6. Replace all with child's + children within child.

                                                7. Continue.

                                                @@ -127119,8 +127123,7 @@ dictionary SanitizerConfig {

                                              3. If url is failure, then return false.

                                                4. -

                                              4. Return whether url's scheme is "

                                                Return whether url's scheme is "javascript".

                                          @@ -127445,8 +127448,8 @@ dictionary SanitizerConfig {
                                        3. -

                                      3. For each attribute that is an event - handler content attribute:

                                        +

                                      4. For each attribute that is an event handler content attribute:

                                        1. If remove an attribute attribute from configuration @@ -127845,8 +127848,8 @@ dictionary SanitizerConfig {

                                          The intersection of two lists A and B containing - SanitizerElement or SanitizerAttribute items is a list containing - all items that are present in both A and B.

                                          + SanitizerElement or SanitizerAttribute items is a list + containing all items that are present in both A and B.

                                          From fd3153a34e093d1b4b794c5834bae14b7587251d Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 16:12:00 +0100 Subject: [PATCH 10/35] stuff --- source | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/source b/source index bf8408942c2..79029f1e065 100644 --- a/source +++ b/source @@ -126295,7 +126295,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] to the result of sort in ascending order element["attributes"], with - attrA being less than item attrB.

                                          2. + compare sanitizer items.

                                        2. If element["removeAttributes"] @@ -126304,14 +126304,14 @@ dictionary SanitizerConfig { to the result of sort in ascending order element["removeAttributes"], - with attrA being less than item attrB.

                                          3. + with compare sanitizer items.

                                      5. Set config["elements"] to the result of sort in ascending order config["elements"], with elementA being - less than item elementB.

                                        6. + data-x="dom-SanitizerConfig-elements">elements                                        "], with compare sanitizer + items.

                                      2. @@ -126320,8 +126320,8 @@ dictionary SanitizerConfig {

                                    2. Set config["removeElements"] to the result of sort in ascending order config["removeElements"], with elementA - being less than item elementB.

                                      3. + data-x="dom-SanitizerConfig-removeElements">removeElements                                      "], with compare + sanitizer items.

                                    2. @@ -126331,7 +126331,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements"] to the result of sort in ascending order config["replaceWithChildrenElements"], - with elementA being less than item elementB.

                                    + with compare sanitizer items.

                                  2. If config["processingInstructions"] SanitizerConfig {

                                    1. Set config["removeProcessingInstructions"] - to the result of sort in ascending order - config["sorting config["removeProcessingInstructions"], with piA["target"] being code unit less than piB["SanitizerConfig {

                                    2. If config["attributes"] exists, then set config["attributes"] to the result of sort in ascending order config["attributes"], with attrA being - less than item attrB.

                                      3. + sort">sorting config["attributes"] given compare sanitizer + items.

                                    3. Otherwise:

                                      1. Set config["removeAttributes"] to the result of sort in ascending order config["removeAttributes"], with attrA - being less than item attrB.

                                        2. + data-x="list sort">sorting config["removeAttributes"] given compare + sanitizer items.

                                      4. @@ -126378,7 +126377,7 @@ dictionary SanitizerConfig {
                                      -

                                      An item itemA is less than item itemB if:

                                      +

                                      To compare sanitizer items itemA and itemB:

                                      1. Let namespaceA be itemA[" Date: Tue, 21 Apr 2026 16:37:27 +0100 Subject: [PATCH 11/35] stuff --- source | 75 +++++++++++++++++++++++++++++++++------------------------- 1 file changed, 43 insertions(+), 32 deletions(-) diff --git a/source b/source index 79029f1e065..34ae28c5a03 100644 --- a/source +++ b/source @@ -125778,7 +125778,7 @@ interface Sanitizer {

                                        1. If configuration["removeProcessingInstructions"] - contains pi, then:

                                          + sanitizer config list contains pi, then:

                                          1. Remove the item from configuration["Sanitizer {

                                            1. If configuration["removeProcessingInstructions"] - contains pi, then return false.

                                              2. + sanitizer config list contains pi, then return false.

                                            2. Append pi to configuration["SanitizerConfig { boolean dataAttributes; }; - TODO -

                                              Configuration invariants

                                              Configurations can and ought to be modified by developers to suit their purposes. Options are @@ -126430,7 +126428,7 @@ dictionary SanitizerConfig { exists, then:

                                                -

                                              1. Let modified be the result of SanitizerConfig/remove +

                                              2. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                                3. @@ -126563,7 +126561,7 @@ dictionary SanitizerConfig {

                                              3. If element is equal to current element, then return modified.

                                                4. -

                                              4. SanitizerConfig/remove element from +

                                              5. Remove element from configuration["elements"].

                                                6. @@ -126584,7 +126582,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes                                                "] (or an empty list if it does not exist) is not empty, then return false.

                                                -

                                              6. Let modified be the result of SanitizerConfig/remove +

                                              7. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                                8. @@ -126592,7 +126590,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeElements">removeElements                                                "] does not contain element, then return modified.

                                                -

                                              8. SanitizerConfig/remove element from +

                                              9. Remove element from configuration["removeElements"].

                                                10. @@ -126626,18 +126624,18 @@ dictionary SanitizerConfig {

                                              10. If the built-in non-replaceable elements list contains element, then return false.

                                                11. -

                                              11. Let modified be the result of SanitizerConfig/remove +

                                              12. Let modified be the result of removing element from configuration["elements"].

                                                13. -

                                              13. If SanitizerConfig/remove element from +

                                              14. If removing element from configuration["removeElements"] is true, then set modified to true.

                                              15. If configuration["replaceWithChildrenElements"] - does not contain element, then:

                                                + does not sanitizer config list contains element, then:

                                                1. Append element to @@ -126690,8 +126688,8 @@ dictionary SanitizerConfig {

                                                  1. If element["attributes"] (or an - empty list if it does not exist) contains - attribute, then remove attribute + empty list if it does not exist) sanitizer config list contains + attribute, then remove attribute from element["attributes"].

                                                  @@ -126714,7 +126712,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeAttributes">removeAttributes"] does not contain attribute, then return false.

                                                  2. -

                                                2. SanitizerConfig/remove attribute from +

                                                3. Remove attribute from configuration["removeAttributes"].

                                                  4. @@ -126946,7 +126944,7 @@ dictionary SanitizerConfig {

                                                  1. If configuration["processingInstructions"] does - not contain piTarget, then sanitizer config list contains piTarget, then remove child.

                                                  @@ -126955,7 +126953,7 @@ dictionary SanitizerConfig {

                                                  1. If configuration["removeProcessingInstructions"] - contains piTarget, then remove child.

                                                  @@ -126972,7 +126970,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-replaceWithChildrenElements">replaceWithChildrenElements                                                  "] exists and configuration["replaceWithChildrenElements"] - contains elementName, then:

                                                  + sanitizer config list contains elementName, then:

                                                  1. Assert: node is not a Document.

                                                    2. @@ -127039,7 +127037,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] exists and elementWithLocalAttributes["removeAttributes"] - contains attrName, then remove an + sanitizer config list contains attrName, then remove an attribute attribute.

                                                  2. Otherwise, if configuration["SanitizerConfig { contains">contain attrName and elementWithLocalAttributes["attributes"] does - not contain attrName, and if "sanitizer config list contains attrName, and if "data-" is not a prefix of attribute's local name or attribute's namespace is not null or @@ -127068,7 +127066,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] exists and elementWithLocalAttributes["attributes"] does - not contain attrName, then remove an + not sanitizer config list contains attrName, then remove an attribute attribute.

                                                  3. Otherwise, if configuration["SanitizerConfig {

                                                  4. Set element to the result of canonicalize a sanitizer element with element.

                                                    5. -

                                                  5. Let modified be the result of SanitizerConfig/remove +

                                                  6. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                                    7. @@ -127280,7 +127278,7 @@ dictionary SanitizerConfig { contains">contains                                                     element, then:

                                                      -

                                                    1. SanitizerConfig/remove element from +

                                                    2. Remove element from configuration["elements"].

                                                      3. @@ -127325,7 +127323,7 @@ dictionary SanitizerConfig { exists">exists, then:

                                                        -

                                                      1. Let modified be the result of SanitizerConfig/remove +

                                                      2. Let modified be the result of removing attribute from configuration["attributes"].

                                                        3. @@ -127340,7 +127338,7 @@ dictionary SanitizerConfig {

                                                        1. If element["attributes"] (or an - empty list if it does not exist) contains + empty list if it does not exist) sanitizer config list contains attribute, then:

                                                            @@ -127354,7 +127352,7 @@ dictionary SanitizerConfig {

                                                          1. If element["removeAttributes"] - (or an empty list if it does not exist) contains + (or an empty list if it does not exist) sanitizer config list contains attribute, then:

                                                              @@ -127392,15 +127390,15 @@ dictionary SanitizerConfig {

                                                              1. If element["attributes"] (or an - empty list if it does not exist) contains - attribute, then remove attribute + empty list if it does not exist) sanitizer config list contains + attribute, then remove attribute from element["attributes"].

                                                              2. If element["removeAttributes"] - (or an empty list if it does not exist) contains - attribute, then remove attribute + (or an empty list if it does not exist) sanitizer config list contains + attribute, then remove attribute from element["removeAttributes"].

                                                              @@ -127461,7 +127459,7 @@ dictionary SanitizerConfig {
                                      -

                                      To SanitizerConfig/remove an item from a list list:

                                      +

                                      To remove from sanitizer config list given an item and a list:

                                      1. Let removed be false.

                                        2. @@ -127477,7 +127475,7 @@ dictionary SanitizerConfig { member, then:

                                          -

                                        1. remove entry from +

                                        2. Remove entry from list.

                                        3. Set removed to true.

                                          4. @@ -127490,11 +127488,24 @@ dictionary SanitizerConfig {
                                      +
                                      +

                                      To sanitizer config list contains, given an item item and a list list:

                                      +
                                        +

                                      1. For each entry of list:

                                        +
                                          +

                                        1. If item has a target member, and entry has a matching target member, then return true.

                                          2. +

                                        2. Otherwise, if item's name member is equal to entry's name member and item's _namespace member is equal to entry's _namespace member, then return true.

                                          3. +
                                        +
                                        2. +

                                      2. Return false.

                                        3. +
                                      +
                                      +

                                      To SanitizerConfig/add a name to a list list:

                                        -

                                      1. If list contains name, then +

                                      2. If list sanitizer config list contains name, then return.

                                      3. Append name to list.

                                        4. From 1e5346a9ed2fb3aa0b863d41ff3f23b4526ca88b Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 19:11:09 +0100 Subject: [PATCH 12/35] use correct algos for PIs --- source | 138 +++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 94 insertions(+), 44 deletions(-) diff --git a/source b/source index 34ae28c5a03..1349c30d28f 100644 --- a/source +++ b/source @@ -125763,7 +125763,8 @@ interface Sanitizer {

                                        1. If configuration["processingInstructions"] contains pi, then return false.

                                          2. + data-x="contains a processing instruction target">contains pi, then return + false.

                                        2. Append pi to configuration["Sanitizer {

                                        -

                                      4. Otherwise:

                                        +
                                      5. +

                                        Otherwise:

                                          -

                                        1. If configuration["removeProcessingInstructions"] - sanitizer config list contains pi, then:

                                          +
                                        2. +

                                          If configuration["removeProcessingInstructions"] + contains pi, + then:

                                            -

                                          1. Remove the item from configuration["removeProcessingInstructions"] - whose target member is - pi's target.

                                            2. +

                                          2. Remove pi from + configuration["removeProcessingInstructions"].

                                          3. Return true.

                                          @@ -125813,16 +125815,14 @@ interface Sanitizer { data-x="map exists">exists, then:

                                            -

                                          1. If configuration["processingInstructions"] contains pi, then:

                                            +

                                          2. If configuration["processingInstructions"] contains pi, then:

                                            -
                                              -

                                            1. Remove the item from configuration["processingInstructions"] whose - target member is - pi's target.

                                              2. +
                                                +

                                              1. Remove pi from + configuration["processingInstructions"].

                                              2. Return true.

                                              @@ -125835,9 +125835,10 @@ interface Sanitizer {

                                            2. Otherwise:

                                                -

                                              1. If configuration["removeProcessingInstructions"] - sanitizer config list contains pi, then return false.

                                                2. +

                                              2. If configuration["removeProcessingInstructions"] + contains pi, then + return false.

                                              3. Append pi to configuration["SanitizerConfig { exists, then:

                                                  -

                                                1. Let modified be the result of removing - element from configuration["

                                                  Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                                2. If configuration["SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] (or an empty list if it does not exist) is not empty, then return false.

                                                  3. -

                                                3. Let modified be the result of removing - element from configuration["

                                                  Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                                4. If configuration["SanitizerConfig {

                                                5. If the built-in non-replaceable elements list contains element, then return false.

                                                  6. -

                                                6. Let modified be the result of removing - element from configuration["

                                                  Let modified be the result of removing element from configuration["elements"].

                                                  7. -

                                                7. If removing element from - configuration["

                                                  If removing element + from configuration["removeElements"] is true, then set modified to true.

                                                  8. @@ -126689,8 +126690,8 @@ dictionary SanitizerConfig {

                                                8. If element["attributes"] (or an empty list if it does not exist) sanitizer config list contains - attribute, then remove attribute - from element["attribute, then remove + attribute from element["attributes"].

                                                4. @@ -127265,8 +127266,8 @@ dictionary SanitizerConfig {

                                              4. Set element to the result of canonicalize a sanitizer element with element.

                                                5. -

                                              5. Let modified be the result of removing - element from configuration["

                                                Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

                                              6. If configuration["elements"] @@ -127323,8 +127324,8 @@ dictionary SanitizerConfig { exists">exists, then:

                                                  -

                                                1. Let modified be the result of removing - attribute from configuration["

                                                  Let modified be the result of removing attribute from configuration["attributes"].

                                                2. If configuration["SanitizerConfig {

                                                3. If element["attributes"] (or an empty list if it does not exist) sanitizer config list contains - attribute, then remove attribute - from element["attribute, then remove + attribute from element["attributes"].

                                                4. If element["removeAttributes"] (or an empty list if it does not exist) sanitizer config list contains - attribute, then remove attribute - from element["attribute, then remove + attribute from element["removeAttributes"].

                                                7. @@ -127459,7 +127460,8 @@ dictionary SanitizerConfig {
                                      -

                                      To remove from sanitizer config list given an item and a list:

                                      +

                                      To remove from sanitizer config list given an item and a + list:

                                      1. Let removed be false.

                                        2. @@ -127489,12 +127491,21 @@ dictionary SanitizerConfig {
                                      -

                                      To sanitizer config list contains, given an item item and a list list:

                                      +

                                      To sanitizer config list contains, given an item item and a list + list:

                                      1. For each entry of list:

                                          -

                                        1. If item has a target member, and entry has a matching target member, then return true.

                                          2. -

                                        2. Otherwise, if item's name member is equal to entry's name member and item's _namespace member is equal to entry's _namespace member, then return true.

                                          3. +

                                        3. If item has a target member, and entry + has a matching target member, + then return true.

                                          4. +

                                        4. Otherwise, if item's name member is equal to entry's + name member and item's + _namespace member is equal to + entry's _namespace + member, then return true.

                                      2. Return false.

                                        3. @@ -127512,6 +127523,45 @@ dictionary SanitizerConfig {
                                      +
                                      +

                                      To check if a list list contains a processing instruction + target given item:

                                      +
                                        +

                                      1. For each entry of list:

                                        +
                                          +

                                        1. If item's target member is equal to + entry's target + member, then return true.

                                          2. +
                                        +
                                        2. +

                                      2. Return false.

                                        3. +
                                      +
                                      + +
                                      +

                                      To sanitizer config list remove target, given an item item and a list + list:

                                      +
                                        +

                                      1. Let removed be false.

                                        2. +

                                      2. For each entry of list:

                                        +
                                          +

                                        1. If item's target member is equal to + entry's target + member, then:

                                          +
                                            +

                                          1. remove entry from + list.

                                            2. +

                                          2. Set removed to true.

                                            3. +
                                          +
                                          2. +
                                        +
                                        3. +

                                      3. Return removed.

                                        4. +
                                      +
                                      +

                                      To canonicalize a sanitizer element with attributes a SanitizerElementWithAttributes element:

                                      From fa4dcc382764e7d827969117d6049c0c5001a2b0 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 19:54:49 +0100 Subject: [PATCH 13/35] fix refs --- source | 75 ++++++++++++++++++++++++++++------------------------------ 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/source b/source index 1349c30d28f..dcdc8a3dfcb 100644 --- a/source +++ b/source @@ -125785,7 +125785,7 @@ interface Sanitizer { then:

                                        -

                                      1. Remove pi from +

                                      2. Remove pi from configuration["removeProcessingInstructions"].

                                        3. @@ -125820,7 +125820,7 @@ interface Sanitizer { data-x="contains a processing instruction target">contains pi, then:

                                          -

                                        1. Remove pi from +

                                        2. Remove pi from configuration["processingInstructions"].

                                          3. @@ -126450,7 +126450,7 @@ dictionary SanitizerConfig {

                                        3. Set element["attributes"] to the - set/difference of element["set/difference of element["attributes"] and configuration["attributes"].

                                          4. @@ -126475,7 +126475,7 @@ dictionary SanitizerConfig {

                                        4. Set element["removeAttributes"] - to the intersection of element["intersection of element["removeAttributes"] and configuration["attributes"].

                                          5. @@ -126499,7 +126499,7 @@ dictionary SanitizerConfig {

                                        5. Set element["attributes"] to the - set/difference of element["set/difference of element["attributes"] and element["removeAttributes"] @@ -126510,7 +126510,7 @@ dictionary SanitizerConfig {

                                        6. Set element["attributes"] to the - set/difference of element["set/difference of element["attributes"] and configuration["removeAttributes"].

                                          7. @@ -126529,7 +126529,7 @@ dictionary SanitizerConfig {

                                        7. Set element["removeAttributes"] - to the set/difference of element["set/difference of element["removeAttributes"] and configuration["removeAttributes"].

                                          8. @@ -126604,7 +126604,7 @@ dictionary SanitizerConfig {

                                          The removeElement(element) method steps - are to return the result of remove an element with element and + are to return the result of removing element from this's configuration.

                                          @@ -126726,7 +126726,7 @@ dictionary SanitizerConfig {

                                          The removeAttribute(attribute) method - steps are to return the result of remove an attribute with attribute and + steps are to return the result of remove an attribute with attribute and this's configuration.

                                          @@ -127038,7 +127038,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes                                          "] exists and elementWithLocalAttributes["removeAttributes"] - sanitizer config list contains attrName, then remove an + sanitizer config list contains attrName, then remove an attribute attribute.

                                        8. Otherwise, if configuration["SanitizerConfig { data-x="concept-attribute-namespace">namespace is not null or configuration["dataAttributes"] is not true, then - remove an attribute attribute.

                                          9. + remove an attribute attribute.

                                        @@ -127067,13 +127067,11 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] exists and elementWithLocalAttributes["attributes"] does - not sanitizer config list contains attrName, then remove an - attribute attribute.

                                        + not sanitizer config list contains attrName, then remove attribute from configuration.

                                      3. Otherwise, if configuration["removeAttributes"] contains attrName, then remove an - attribute attribute.

                                        4. + data-x="list contains">contains attrName, then remove attribute from configuration.

                                      @@ -127081,7 +127079,7 @@ dictionary SanitizerConfig {

                                      1. If the pair (elementName, attrName) matches an entry in the built-in navigating URL attributes list, and if attribute - contains a javascript: URL, then remove an attribute + contains a javascript: URL, then remove an attribute attribute.

                                      2. If child's namespace is @@ -127089,14 +127087,13 @@ dictionary SanitizerConfig { data-x="concept-attribute-local-name">local name is "href", and attribute's namespace is null or the XLink namespace, and attribute contains a - javascript: URL, then remove an attribute + javascript: URL, then remove an attribute attribute.

                                      3. If the built-in animating URL attributes list contains the pair (elementName, attrName), and attribute's value is "href" or "xlink:href", then remove an - attribute attribute.

                                        4. + data-x="">href                                        " or "xlink:href", then remove attribute from configuration.

                                    @@ -127112,7 +127109,7 @@ dictionary SanitizerConfig {
                                    -

                                    To determine whether an attribute attribute contains a javascript: +

                                    To determine whether an attribute attribute contains a javascript: URL:

                                      @@ -127256,7 +127253,7 @@ dictionary SanitizerConfig {
                                      -

                                      To remove an element element from a SanitizerConfig +

                                      To remove an element element from a SanitizerConfig configuration:

                                        @@ -127309,7 +127306,7 @@ dictionary SanitizerConfig {
                                      -

                                      To remove an attribute attribute from a SanitizerConfig +

                                      To remove an attribute attribute from a SanitizerConfig configuration:

                                        @@ -127431,7 +127428,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeElements">removeElements"]:

                                          -

                                        1. If remove an element element from configuration is +

                                        2. If removing element from configuration is true, then set result to true.

                                        @@ -127441,8 +127438,8 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeAttributes">removeAttributes                                        "]:

                                          -

                                        1. If remove an attribute attribute from configuration - is true, then set result to true.

                                          2. +

                                        2. If removing attribute from configuration + returned true, then set result to true.

                                        @@ -127450,8 +127447,8 @@ dictionary SanitizerConfig { data-x="event handler content attributes">event handler content attribute:

                                          -

                                        1. If remove an attribute attribute from configuration - is true, then set result to true.

                                          2. +

                                        2. If removing attribute from configuration + returned true, then set result to true.

                                        @@ -127540,7 +127537,7 @@ dictionary SanitizerConfig {
                                      -

                                      To sanitizer config list remove target, given an item item and a list +

                                      To remove prcessing instruction from sanitizer config list, given an item item and a list list:

                                      1. Let removed be false.

                                        2. @@ -127753,7 +127750,7 @@ dictionary SanitizerConfig {

                                      2. If config["elements"] exists:

                                          -

                                        1. If the intersection of config["

                                          If the intersection of config["elements"] and config["replaceWithChildrenElements"] is not empty, then return false.

                                          2. @@ -127762,7 +127759,7 @@ dictionary SanitizerConfig {

                                        2. Otherwise:

                                            -

                                          1. If the intersection of config["

                                            If the intersection of config["removeElements"] and config["replaceWithChildrenElements"] @@ -127797,14 +127794,14 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] has duplicates, then return false.

                                            2. -

                                          2. If the intersection of config["

                                            If the intersection of config["attributes"] and element["attributes"] (or an empty list if it does not exist) is not empty, then return false.

                                          3. If element["removeAttributes"] - (or an empty list if it does not exist) is not a subset of + (or an empty list if it does not exist) is not a subset of config["attributes"], then return false.

                                            4. @@ -127851,13 +127848,13 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes                                            "] has duplicates, then return false.

                                            -

                                          4. If the intersection of config["

                                            If the intersection of config["removeAttributes"] and element["attributes"] (or an empty list if it does not exist) is not empty, then return false.

                                            5. -

                                          5. If the intersection of config["

                                            If the intersection of config["removeAttributes"] and element["removeAttributes"] @@ -127907,18 +127904,18 @@ dictionary SanitizerConfig {

                                      -

                                      The intersection of two lists A and B containing +

                                      The intersection of sanitizer config lists A and B containing SanitizerElement or SanitizerAttribute items is a list containing all items that are present in both A and B.

                                      -

                                      A list A is a subset of a list B if every item in A - is also present in B.

                                      +

                                      A list A is a subset of a list B if A + contains everyh item in B.

                                      -

                                      To compute the difference of two lists A and +

                                      To compute the difference of two lists A and B:

                                        @@ -127937,7 +127934,7 @@ dictionary SanitizerConfig {

                                        Two lists A and B are equal if A - is a subset of B and B is a subset of + is a subset of B and B is a subset of A.

                                        From 20a3c34b0c38b00fe1f1308800d4da6f7bbc88c7 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 19:57:15 +0100 Subject: [PATCH 14/35] specfmt --- source | 169 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 114 insertions(+), 55 deletions(-) diff --git a/source b/source index dcdc8a3dfcb..820e42dce7e 100644 --- a/source +++ b/source @@ -125720,6 +125720,41 @@ interface Sanitizer { boolean removeUnsafe(); };                                         +
                                        +
                                        config = sanitizer.get()
                                        +

                                        Returns a copy of the sanitizer's configuration.

                                        + +
                                        sanitizer.allowElement(element)
                                        +

                                        Adds an element to the allow-list.

                                        + +
                                        sanitizer.removeElement(element)
                                        +

                                        Adds an element to the remove-list.

                                        + +
                                        sanitizer.replaceElementWithChildren(element)
                                        +

                                        Adds an element to the list of elements to be replaced with their children.

                                        + +
                                        sanitizer.allowAttribute(attribute)
                                        +

                                        Adds an attribute to the allow-list.

                                        + +
                                        sanitizer.removeAttribute(attribute)
                                        +

                                        Adds an attribute to the remove-list.

                                        + +
                                        sanitizer.allowProcessingInstruction(pi)
                                        +

                                        Adds a processing instruction to the allow-list.

                                        + +
                                        sanitizer.removeProcessingInstruction(pi)
                                        +

                                        Adds a processing instruction to the remove-list.

                                        + +
                                        sanitizer.setComments(allow)
                                        +

                                        Sets whether comments are allowed.

                                        + +
                                        sanitizer.setDataAttributes(allow)
                                        +

                                        Sets whether custom data attributes are allowed.

                                        + +
                                        sanitizer.removeUnsafe()
                                        +

                                        Removes all unsafe elements and attributes from the configuration.

                                        +
                                        +

                                        A Sanitizer has an associated configuration (a SanitizerConfig).

                                        @@ -125785,8 +125820,8 @@ interface Sanitizer { then:

                                          -

                                        1. Remove pi from - configuration["

                                          Remove + pi from configuration["removeProcessingInstructions"].

                                        2. Return true.

                                          3. @@ -125820,8 +125855,8 @@ interface Sanitizer { data-x="contains a processing instruction target">contains pi, then:

                                            -

                                          1. Remove pi from - configuration["

                                            Remove + pi from configuration["processingInstructions"].

                                          2. Return true.

                                            3. @@ -126450,7 +126485,8 @@ dictionary SanitizerConfig {

                                          3. Set element["attributes"] to the - set/difference of element["set/difference of + element["attributes"] and configuration["attributes"].

                                            4. @@ -126475,7 +126511,8 @@ dictionary SanitizerConfig {

                                          4. Set element["removeAttributes"] - to the intersection of element["intersection of + element["removeAttributes"] and configuration["attributes"].

                                            5. @@ -126499,7 +126536,8 @@ dictionary SanitizerConfig {

                                          5. Set element["attributes"] to the - set/difference of element["set/difference of + element["attributes"] and element["removeAttributes"] @@ -126510,7 +126548,8 @@ dictionary SanitizerConfig {

                                          6. Set element["attributes"] to the - set/difference of element["set/difference of + element["attributes"] and configuration["removeAttributes"].

                                            7. @@ -126529,7 +126568,8 @@ dictionary SanitizerConfig {

                                          7. Set element["removeAttributes"] - to the set/difference of element["set/difference of + element["removeAttributes"] and configuration["removeAttributes"].

                                            8. @@ -126604,8 +126644,8 @@ dictionary SanitizerConfig {

                                            The removeElement(element) method steps - are to return the result of removing element from - this's configuration.

                                            + are to return the result of removing + element from this's configuration.

                                            @@ -126726,8 +126766,9 @@ dictionary SanitizerConfig {

                                            The removeAttribute(attribute) method - steps are to return the result of remove an attribute with attribute and - this's configuration.

                                            + steps are to return the result of remove + an attribute with attribute and this's + configuration.

                                            @@ -127038,8 +127079,9 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] exists and elementWithLocalAttributes["removeAttributes"] - sanitizer config list contains attrName, then remove an - attribute attribute.

                                            + sanitizer config list contains attrName, then remove an attribute + attribute.

                                          8. Otherwise, if configuration["attributes"] namespace is not null or configuration["dataAttributes"] is not true, then - remove an attribute attribute.

                                            9. + remove an attribute + attribute.

                                          @@ -127067,11 +127110,15 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"] exists and elementWithLocalAttributes["attributes"] does - not sanitizer config list contains attrName, then remove attribute from configuration.

                                          + not sanitizer config list contains attrName, then remove attribute + from configuration.

                                        3. Otherwise, if configuration["removeAttributes"] contains attrName, then remove attribute from configuration.

                                          4. + data-x="list contains">contains attrName, then remove attribute from + configuration.

                                        @@ -127079,7 +127126,8 @@ dictionary SanitizerConfig {

                                        1. If the pair (elementName, attrName) matches an entry in the built-in navigating URL attributes list, and if attribute - contains a javascript: URL, then remove an attribute + contains a javascript: URL, then remove an attribute attribute.

                                        2. If child's namespace is @@ -127087,13 +127135,15 @@ dictionary SanitizerConfig { data-x="concept-attribute-local-name">local name is "href", and attribute's namespace is null or the XLink namespace, and attribute contains a - javascript: URL, then remove an attribute - attribute.

                                          3. + javascript: URL, then remove an attribute attribute.

                                        3. If the built-in animating URL attributes list contains the pair (elementName, attrName), and attribute's value is "href" or "xlink:href", then remove attribute from configuration.

                                          4. + data-x="">href                                          " or "xlink:href", then remove attribute from + configuration.

                                      @@ -127253,8 +127303,8 @@ dictionary SanitizerConfig {
                                      -

                                      To remove an element element from a SanitizerConfig - configuration:

                                      +

                                      To remove an element + element from a SanitizerConfig configuration:

                                      1. Assert: configuration is SanitizerConfig {

                                      -

                                      To remove an attribute attribute from a SanitizerConfig - configuration:

                                      +

                                      To remove an attribute + attribute from a SanitizerConfig configuration:

                                      1. Assert: configuration is SanitizerConfig { data-x="dom-SanitizerConfig-removeElements">removeElements"]:

                                          -

                                        1. If removing element from configuration is - true, then set result to true.

                                          2. +

                                        2. If removing + element from configuration is true, then set result to + true.

                                        2. @@ -127438,8 +127489,9 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeAttributes">removeAttributes                                        "]:

                                          -

                                        1. If removing attribute from configuration - returned true, then set result to true.

                                          2. +

                                        2. If removing + attribute from configuration returned true, then set result to + true.

                                        @@ -127447,8 +127499,9 @@ dictionary SanitizerConfig { data-x="event handler content attributes">event handler content attribute:

                                          -

                                        1. If removing attribute from configuration - returned true, then set result to true.

                                          2. +

                                        2. If removing + attribute from configuration returned true, then set result to + true.

                                        @@ -127537,8 +127590,8 @@ dictionary SanitizerConfig {
                                      -

                                      To remove prcessing instruction from sanitizer config list, given an item item and a list - list:

                                      +

                                      To remove prcessing instruction from sanitizer config list, given an item + item and a list list:

                                      1. Let removed be false.

                                      2. For each entry of list:

                                        @@ -127750,8 +127803,9 @@ dictionary SanitizerConfig {

                                      3. If config["elements"] exists:

                                          -

                                        1. If the intersection of config["elements"] and config["

                                          If the intersection of + config["elements"] and + config["replaceWithChildrenElements"] is not empty, then return false.

                                        @@ -127759,9 +127813,9 @@ dictionary SanitizerConfig {

                                      4. Otherwise:

                                          -

                                        1. If the intersection of config["removeElements"] and - config["

                                          If the intersection of + config["removeElements"] + and config["replaceWithChildrenElements"] is not empty, then return false.

                                        @@ -127794,16 +127848,17 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] has duplicates, then return false.

                                        5. -

                                      5. If the intersection of config["attributes"] and element["

                                        If the intersection of + config["attributes"] and + element["attributes"] (or an empty list if it does not exist) is not empty, then return false.

                                      6. If element["removeAttributes"] - (or an empty list if it does not exist) is not a subset of - config["attributes"], then - return false.

                                        7. + (or an empty list if it does not exist) is not a subset of config["attributes"], then return false.

                                      7. If config["dataAttributes"] is true and @@ -127848,13 +127903,15 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"] has duplicates, then return false.

                                        8. -

                                      8. If the intersection of config["

                                        If the intersection of + config["removeAttributes"] and element["attributes"] (or an empty list if it does not exist) is not empty, then return false.

                                        9. -

                                      9. If the intersection of config["

                                        If the intersection of + config["removeAttributes"] and element["removeAttributes"] @@ -127904,19 +127961,21 @@ dictionary SanitizerConfig {

                                      -

                                      The intersection of sanitizer config lists A and B containing - SanitizerElement or SanitizerAttribute items is a list - containing all items that are present in both A and B.

                                      +

                                      The intersection of sanitizer config lists + A and B containing SanitizerElement or + SanitizerAttribute items is a list containing all items that are present + in both A and B.

                                      -

                                      A list A is a subset of a list B if A - contains everyh item in B.

                                      +

                                      A list A is a subset of a list + B if A contains everyh + item in B.

                                      -

                                      To compute the difference of two lists A and - B:

                                      +

                                      To compute the difference of two lists + A and B:

                                      1. Let result be an empty list.

                                        2. @@ -127934,8 +127993,8 @@ dictionary SanitizerConfig {

                                        Two lists A and B are equal if A - is a subset of B and B is a subset of - A.

                                        + is a subset of B and B is a + subset of A.

                                        The built-in non-replaceable elements list contains elements that must not be From d56f519d93e434d88bab6582caeff723c4c8f57d Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 20:40:10 +0100 Subject: [PATCH 15/35] domintro --- source | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/source b/source index 820e42dce7e..c8930190af4 100644 --- a/source +++ b/source @@ -125722,37 +125722,38 @@ interface Sanitizer {

                                        config = sanitizer.get()
                                        -

                                        Returns a copy of the sanitizer's configuration.

                                        +

                                        Returns a copy of the sanitizer's configuration.

                                        sanitizer.allowElement(element)
                                        -

                                        Adds an element to the allow-list.

                                        +

                                        Ensures that the sanitizer configuration allows the specified element.

                                        sanitizer.removeElement(element)
                                        -

                                        Adds an element to the remove-list.

                                        +

                                        Ensures that the sanitizer configuration blocks the specified element.

                                        sanitizer.replaceElementWithChildren(element)
                                        -

                                        Adds an element to the list of elements to be replaced with their children.

                                        +

                                        Configures the sanitizer to remove the specified element but keep its child nodes.

                                        sanitizer.allowAttribute(attribute)
                                        -

                                        Adds an attribute to the allow-list.

                                        +

                                        Configures the sanitizer to allow the specified attribute globally.

                                        -
                                        sanitizer.removeAttribute(attribute)
                                        -

                                        Adds an attribute to the remove-list.

                                        +
                                        sanitizer.removeAttribute(attribute)
                                        +

                                        Configures the sanitizer to block the specified attribute globally.

                                        sanitizer.allowProcessingInstruction(pi)
                                        -

                                        Adds a processing instruction to the allow-list.

                                        +

                                        Configures the sanitizer to allow the specified processing instruction.

                                        sanitizer.removeProcessingInstruction(pi)
                                        -

                                        Adds a processing instruction to the remove-list.

                                        +

                                        Configures the sanitizer to block the specified processing instruction.

                                        sanitizer.setComments(allow)
                                        -

                                        Sets whether comments are allowed.

                                        +

                                        Sets whether the sanitizer preserves comments.

                                        sanitizer.setDataAttributes(allow)
                                        -

                                        Sets whether custom data attributes are allowed.

                                        +

                                        Sets whether the sanitizer preserves custom data attributes (e.g., data-*).

                                        sanitizer.removeUnsafe()
                                        -

                                        Removes all unsafe elements and attributes from the configuration.

                                        +

                                        Modifies the configuration to automatically remove elements and attributes that are considered unsafe.

                                        A Sanitizer has an associated configuration (a From aec3faa405961ca07a1d07c1c27801d6b9cf01ab Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 20:42:10 +0100 Subject: [PATCH 16/35] specfmt --- source | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/source b/source index c8930190af4..94bc89fea7b 100644 --- a/source +++ b/source @@ -125722,7 +125722,8 @@ interface Sanitizer {

                                        config = sanitizer.get()
                                        -

                                        Returns a copy of the sanitizer's configuration.

                                        +

                                        Returns a copy of the sanitizer's configuration.

                                        sanitizer.allowElement(element)

                                        Ensures that the sanitizer configuration allows the specified element.

                                        @@ -125731,7 +125732,8 @@ interface Sanitizer {

                                        Ensures that the sanitizer configuration blocks the specified element.

                                        sanitizer.replaceElementWithChildren(element)
                                        -

                                        Configures the sanitizer to remove the specified element but keep its child nodes.

                                        +

                                        Configures the sanitizer to remove the specified element but keep its child + nodes.

                                        sanitizer.allowAttribute(attribute)

                                        Configures the sanitizer to allow the specified attribute globally.

                                        @@ -125750,10 +125752,11 @@ interface Sanitizer {
                                        sanitizer.setDataAttributes(allow)

                                        Sets whether the sanitizer preserves custom data attributes (e.g., data-*).

                                        + data-x="attr-data-*">data-*                                        ).

                                        sanitizer.removeUnsafe()
                                        -

                                        Modifies the configuration to automatically remove elements and attributes that are considered unsafe.

                                        +

                                        Modifies the configuration to automatically remove elements and attributes that are + considered unsafe.

                                        A Sanitizer has an associated configuration (a From 272087b5067ba94d5a437038bf71a503921e386d Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 21 Apr 2026 21:04:12 +0100 Subject: [PATCH 17/35] nits --- source | 57 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/source b/source index 94bc89fea7b..aff3eb90e9d 100644 --- a/source +++ b/source @@ -126859,16 +126859,28 @@ dictionary SanitizerConfig { and a boolean safe:

                                          -

                                        1. If safe is true, contextElement's local name is "script", and - contextElement's namespace is the - HTML namespace or the SVG namespace, then return.

                                          2. +
                                        2. +

                                          If all of the following are true:

                                          -

                                        3. Let sanitizer be the result of calling get a sanitizer instance from - options with options and safe.

                                          4. +
                                            +

                                          • safe is true;

                                            • + +

                                          • contextElement's local name + is "script"; and

                                            • + +

                                          • contextElement's namespace + is the HTML namespace or the SVG namespace,

                                            • +
                                          -

                                        4. Let newChildren be the result of the HTML fragment parsing - algorithm given contextElement, html, and true.

                                          5. +

                                          then return.

                                          + + +

                                        5. Let sanitizer be the result of calling getting a sanitizer from options given safe.

                                          6. + +

                                        6. Let newChildren be the result of parsing a fragment given contextElement, html, and + true.

                                        7. Let fragment be a new DocumentFragment whose node document is contextElement's node document.

                                          8. @@ -126876,7 +126888,7 @@ dictionary SanitizerConfig {

                                        8. For each node in newChildren, append node to fragment.

                                          9. -

                                        9. Call sanitize on fragment with sanitizer and +

                                        10. Sanitize fragment given sanitizer and safe.

                                        11. Replace all with fragment within @@ -126943,16 +126955,15 @@ dictionary SanitizerConfig {

                                        12. If safe is true, then set configuration to the result of calling remove unsafe on configuration.

                                          13. -

                                        13. Call sanitize core on node, configuration, and with - handleJavascriptNavigationUrls set to safe.

                                          14. +

                                        14. Sanitize node given + configuration and safe.

                                      -

                                      The sanitize core operation, using a Node node, a +

                                      To perform the inner sanitize steps on a Node node, given a SanitizerConfig configuration, and a boolean - handleJavascriptNavigationUrls, recurses over the DOM tree beginning with - node. It consists of these steps:

                                      + handleJavascriptNavigationUrls:

                                      1. For each child of node's SanitizerConfig {

                                        1. Assert: node is not a Document.

                                          2. -

                                        2. Call sanitize core on child with configuration - and handleJavascriptNavigationUrls.

                                          3. +

                                        3. Sanitize child given + configuration and handleJavascriptNavigationUrls.

                                        4. Replace all with child's children within child.

                                          5. @@ -127053,13 +127064,13 @@ dictionary SanitizerConfig {

                                        5. If elementName is a template element in the HTML - namespace, then call sanitize core on child's template - contents with configuration and + namespace, then sanitize child's + template contents given configuration and handleJavascriptNavigationUrls.

                                          6. -

                                        6. If child is a shadow host, then call sanitize - core on child's shadow root with configuration and - handleJavascriptNavigationUrls.

                                          7. +

                                        7. If child is a shadow host, then sanitize child's shadow root given + configuration and handleJavascriptNavigationUrls.

                                        8. Let elementWithLocalAttributes be null.

                                          9. @@ -127153,8 +127164,8 @@ dictionary SanitizerConfig {
                                        2. -

                                      2. Call sanitize core on child with configuration and - handleJavascriptNavigationUrls.

                                        3. +

                                      3. Sanitize child given + configuration and handleJavascriptNavigationUrls.

                                    From cc85dec20e80acdb31a6e9f0765726a83ff3687a Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Wed, 22 Apr 2026 11:43:04 +0100 Subject: [PATCH 18/35] Include built-ins --- source | 1535 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 1482 insertions(+), 53 deletions(-) diff --git a/source b/source index aff3eb90e9d..41ace5cf09e 100644 --- a/source +++ b/source @@ -127190,64 +127190,1493 @@ dictionary SanitizerConfig {

                                    Sanitization constants

                                    -

                                    The built-in safe baseline configuration is a SanitizerConfig whose - members are as follows:

                                    +

                                    The built-in safe baseline configuration is the result of parsing the following JSON string:

                                    -
                                    -
                                    removeElements
                                    -
                                    -

                                    A list of SanitizerElementNamespace dictionaries:

                                    -
                                      -

                                    • { name: "embed", _namespace: HTML namespace - }

                                      • -

                                    • { name: "frame", _namespace: HTML namespace - }

                                      • -

                                    • { name: "iframe", _namespace: HTML namespace - }

                                      • -

                                    • { name: "object", _namespace: HTML namespace - }

                                      • -

                                    • { name: "script", _namespace: HTML namespace - }

                                      • -

                                    • { name: "script", _namespace: SVG namespace - }

                                      • -

                                    • { name: "use", _namespace: SVG namespace - }

                                      • -
                                    -
                                    - -
                                    removeAttributes
                                    -

                                    An empty list.

                                    -
                                    - -

                                    The remove unsafe algorithm additionally removes all event - handler content attributes, which are not listed in the baseline configuration above.

                                    + 
                                    
+{
+  "removeElements": [
+    {
+      "namespace": "http://www.w3.org/1999/xhtml",
+      "name": "embed"
+    },
+    {
+      "namespace": "http://www.w3.org/1999/xhtml",
+      "name": "frame"
+    },
+    {
+      "namespace": "http://www.w3.org/1999/xhtml",
+      "name": "iframe"
+    },
+    {
+      "namespace": "http://www.w3.org/1999/xhtml",
+      "name": "object"
+    },
+    {
+      "namespace": "http://www.w3.org/1999/xhtml",
+      "name": "script"
+    },
+    {
+      "namespace": "http://www.w3.org/2000/svg",
+      "name": "script"
+    },
+    {
+      "namespace": "http://www.w3.org/2000/svg",
+      "name": "use"
+    }
+  ],
+  "removeAttributes": [
+    "onafterprint",
+    "onauxclick",
+    "onbeforeinput",
+    "onbeforematch",
+    "onbeforeprint",
+    "onbeforeunload",
+    "onbeforetoggle",
+    "onblur",
+    "oncancel",
+    "oncanplay",
+    "oncanplaythrough",
+    "onchange",
+    "onclick",
+    "onclose",
+    "oncontextlost",
+    "oncontextmenu",
+    "oncontextrestored",
+    "oncopy",
+    "oncuechange",
+    "oncut",
+    "ondblclick",
+    "ondrag",
+    "ondragend",
+    "ondragenter",
+    "ondragleave",
+    "ondragover",
+    "ondragstart",
+    "ondrop",
+    "ondurationchange",
+    "onemptied",
+    "onended",
+    "onerror",
+    "onfocus",
+    "onformdata",
+    "onhashchange",
+    "oninput",
+    "oninvalid",
+    "onkeydown",
+    "onkeypress",
+    "onkeyup",
+    "onlanguagechange",
+    "onload",
+    "onloadeddata",
+    "onloadedmetadata",
+    "onloadstart",
+    "onmessage",
+    "onmessageerror",
+    "onmousedown",
+    "onmouseenter",
+    "onmouseleave",
+    "onmousemove",
+    "onmouseout",
+    "onmouseover",
+    "onmouseup",
+    "onoffline",
+    "ononline",
+    "onpagehide",
+    "onpagereveal",
+    "onpageshow",
+    "onpageswap",
+    "onpaste",
+    "onpause",
+    "onplay",
+    "onplaying",
+    "onpopstate",
+    "onprogress",
+    "onratechange",
+    "onreset",
+    "onresize",
+    "onrejectionhandled",
+    "onscroll",
+    "onscrollend",
+    "onsecuritypolicyviolation",
+    "onseeked",
+    "onseeking",
+    "onselect",
+    "onslotchange",
+    "onstalled",
+    "onstorage",
+    "onsubmit",
+    "onsuspend",
+    "ontimeupdate",
+    "ontoggle",
+    "onunhandledrejection",
+    "onunload",
+    "onvolumechange",
+    "onwaiting",
+    "onwheel"
+  ]
+}
+
                                    -

                                    The built-in safe default configuration is a SanitizerConfig whose - members are as follows:

                                    +

                                    The built-in safe default configuration is the result of parse a JSON string to an Infra value on the following JSON string:

                                    -
                                    -
                                    elements
                                    -

                                    A list of SanitizerElementWithAttributes dictionaries, representing a safe - subset of HTML, SVG, and MathML elements.

                                    - -
                                    attributes
                                    -

                                    A list of SanitizerAttributeNamespace dictionaries, representing a safe - subset of HTML, SVG, and MathML attributes.

                                    + 
                                    
+{
+  "elements": [
+    {
+      "name": "math",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "merror",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mfrac",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mi",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mmultiscripts",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mn",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mo",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": [
+        {
+          "name": "fence",
+          "namespace": null
+        },
+        {
+          "name": "form",
+          "namespace": null
+        },
+        {
+          "name": "largeop",
+          "namespace": null
+        },
+        {
+          "name": "lspace",
+          "namespace": null
+        },
+        {
+          "name": "maxsize",
+          "namespace": null
+        },
+        {
+          "name": "minsize",
+          "namespace": null
+        },
+        {
+          "name": "movablelimits",
+          "namespace": null
+        },
+        {
+          "name": "rspace",
+          "namespace": null
+        },
+        {
+          "name": "separator",
+          "namespace": null
+        },
+        {
+          "name": "stretchy",
+          "namespace": null
+        },
+        {
+          "name": "symmetric",
+          "namespace": null
+        }
+      ]
+    },
+    {
+      "name": "mover",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": [
+        {
+          "name": "accent",
+          "namespace": null
+        }
+      ]
+    },
+    {
+      "name": "mpadded",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": [
+        {
+          "name": "depth",
+          "namespace": null
+        },
+        {
+          "name": "height",
+          "namespace": null
+        },
+        {
+          "name": "lspace",
+          "namespace": null
+        },
+        {
+          "name": "voffset",
+          "namespace": null
+        },
+        {
+          "name": "width",
+          "namespace": null
+        }
+      ]
+    },
+    {
+      "name": "mphantom",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mprescripts",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mroot",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mrow",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "ms",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mspace",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": [
+        {
+          "name": "depth",
+          "namespace": null
+        },
+        {
+          "name": "height",
+          "namespace": null
+        },
+        {
+          "name": "width",
+          "namespace": null
+        }
+      ]
+    },
+    {
+      "name": "msqrt",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mstyle",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "msub",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "msubsup",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "msup",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mtable",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mtd",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": [
+        {
+          "name": "columnspan",
+          "namespace": null
+        },
+        {
+          "name": "rowspan",
+          "namespace": null
+        }
+      ]
+    },
+    {
+      "name": "mtext",
+      "namespace": "http://www.w3.org/1998/Math/MathML",
+      "attributes": []
+    },
+    {
+      "name": "mtr",
 
-   
                                    comments
                                    
-   
                                    true
                                    
-
                                    +"namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "munder", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "accentunder", + "namespace": null + } + ] + }, + { + "name": "munderover", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "accent", + "namespace": null + }, + { + "name": "accentunder", + "namespace": null + } + ] + }, + { + "name": "semantics", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "a", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "href", + "namespace": null + }, + { + "name": "hreflang", + "namespace": null + }, + { + "name": "type", + "namespace": null + } + ] + }, + { + "name": "abbr", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "address", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "article", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "aside", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "b", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "bdi", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "bdo", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "blockquote", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "cite", + "namespace": null + } + ] + }, + { + "name": "body", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "br", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "caption", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "cite", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "code", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "col", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "span", + "namespace": null + } + ] + }, + { + "name": "colgroup", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "span", + "namespace": null + } + ] + }, + { + "name": "data", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "value", + "namespace": null + } + ] + }, + { + "name": "dd", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "del", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "cite", + "namespace": null + }, + { + "name": "datetime", + "namespace": null + } + ] + }, + { + "name": "dfn", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "div", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "dl", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "dt", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "em", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "figcaption", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "figure", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "footer", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "h1", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { -

                                    The exact contents of the built-in safe default configuration are - intended to be a conservative subset of the web platform that is known to be safe. It is subject - to change as the platform evolves.

                                    +"name": "h2", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "h3", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "h4", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "h5", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "h6", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "head", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "header", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "hgroup", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "hr", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "html", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "i", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "ins", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "cite", + "namespace": null + }, + { + "name": "datetime", + "namespace": null + } + ] + }, + { + "name": "kbd", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "li", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "value", + "namespace": null + } + ] + }, + { + "name": "main", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "mark", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "menu", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "nav", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "ol", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "reversed", + "namespace": null + }, + { + "name": "start", + "namespace": null + }, + { + "name": "type", + "namespace": null + } + ] + }, + { + "name": "p", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "pre", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "q", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "rp", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "rt", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "ruby", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "s", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "samp", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "search", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "section", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "small", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "span", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "strong", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "sub", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "sup", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "table", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "tbody", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "td", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + +"name": "colspan", + "namespace": null + }, + { + "name": "headers", + "namespace": null + }, + { + "name": "rowspan", + "namespace": null + } + ] + }, + { + "name": "tfoot", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "th", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "abbr", + "namespace": null + }, + { + "name": "colspan", + "namespace": null + }, + { + "name": "headers", + "namespace": null + }, + { + "name": "rowspan", + "namespace": null + }, + { + "name": "scope", + "namespace": null + } + ] + }, + { + "name": "thead", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "time", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [ + { + "name": "datetime", + "namespace": null + } + ] + }, + { + "name": "title", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "tr", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "u", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "ul", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "var", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "wbr", + "namespace": "http://www.w3.org/1999/xhtml", + "attributes": [] + }, + { + "name": "a", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "href", + "namespace": null + }, + { + "name": "hreflang", + "namespace": null + }, + { + "name": "type", + "namespace": null + } + ] + }, + { + "name": "circle", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "cx", + "namespace": null + }, + { + "name": "cy", + "namespace": null + }, + { + "name": "pathLength", + "namespace": null + }, + { + "name": "r", + "namespace": null + } + ] + }, + { + "name": "defs", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [] + }, + { + "name": "desc", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [] + }, + { + "name": "ellipse", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "cx", + "namespace": null + }, + { + "name": "cy", + "namespace": null + }, + { + "name": "pathLength", + "namespace": null + }, + { + "name": "rx", + "namespace": null + }, + { + "name": "ry", + "namespace": null + } + ] + }, + { + "name": "foreignObject", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "height", + "namespace": null + }, + { + "name": "width", + "namespace": null + }, + { + "name": "x", + "namespace": null + }, + { + "name": "y", + "namespace": null + } + ] + }, + { + "name": "g", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [] + }, + { + "name": "line", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "pathLength", + "namespace": null + }, + { + "name": "x1", + "namespace": null + }, + { + "name": "x2", + "namespace": null + }, + { + "name": "y1", + "namespace": null + }, + { + "name": "y2", + "namespace": null + } + ] + }, + { + "name": "marker", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "markerHeight", + "namespace": null + }, + { + "name": "markerUnits", + +"namespace": null + }, + { + "name": "markerWidth", + "namespace": null + }, + { + "name": "orient", + "namespace": null + }, + { + "name": "preserveAspectRatio", + "namespace": null + }, + { + "name": "refX", + "namespace": null + }, + { + "name": "refY", + "namespace": null + }, + { + "name": "viewBox", + "namespace": null + } + ] + }, + { + "name": "metadata", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [] + }, + { + "name": "path", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "d", + "namespace": null + }, + { + "name": "pathLength", + "namespace": null + } + ] + }, + { + "name": "polygon", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "pathLength", + "namespace": null + }, + { + "name": "points", + "namespace": null + } + ] + }, + { + "name": "polyline", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "pathLength", + "namespace": null + }, + { + "name": "points", + "namespace": null + } + ] + }, + { + "name": "rect", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "height", + "namespace": null + }, + { + "name": "pathLength", + "namespace": null + }, + { + "name": "rx", + "namespace": null + }, + { + "name": "ry", + "namespace": null + }, + { + "name": "width", + "namespace": null + }, + { + "name": "x", + "namespace": null + }, + { + "name": "y", + "namespace": null + } + ] + }, + { + "name": "svg", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "height", + "namespace": null + }, + { + "name": "preserveAspectRatio", + "namespace": null + }, + { + "name": "viewBox", + "namespace": null + }, + { + "name": "width", + "namespace": null + }, + { + "name": "x", + "namespace": null + }, + { + "name": "y", + "namespace": null + } + ] + }, + { + "name": "text", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "dx", + "namespace": null + }, + { + "name": "dy", + "namespace": null + }, + { + "name": "lengthAdjust", + "namespace": null + }, + { + "name": "rotate", + "namespace": null + }, + { + "name": "textLength", + "namespace": null + }, + { + "name": "x", + "namespace": null + }, + { + "name": "y", + "namespace": null + } + ] + }, + { + "name": "textPath", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "lengthAdjust", + "namespace": null + }, + { + "name": "method", + "namespace": null + }, + { + "name": "path", + "namespace": null + }, + { + "name": "side", + "namespace": null + }, + { + "name": "spacing", + "namespace": null + }, + { + "name": "startOffset", + "namespace": null + }, + { + "name": "textLength", + "namespace": null + } + ] + }, + { + "name": "title", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [] + }, + { + "name": "tspan", + "namespace": "http://www.w3.org/2000/svg", + "attributes": [ + { + "name": "dx", + "namespace": null + }, + { + "name": "dy", + "namespace": null + }, + { + "name": "lengthAdjust", + "namespace": null + }, + { + "name": "rotate", + "namespace": null + }, + +{ + "name": "textLength", + "namespace": null + }, + { + "name": "x", + "namespace": null + }, + { + "name": "y", + "namespace": null + } + ] + } + ], + "processingInstructions": [], + "attributes": [ + { + "name": "alignment-baseline", + "namespace": null + }, + { + "name": "baseline-shift", + "namespace": null + }, + { + "name": "clip-path", + "namespace": null + }, + { + "name": "clip-rule", + "namespace": null + }, + { + "name": "color", + "namespace": null + }, + { + "name": "color-interpolation", + "namespace": null + }, + { + "name": "cursor", + "namespace": null + }, + { + "name": "dir", + "namespace": null + }, + { + "name": "direction", + "namespace": null + }, + { + "name": "display", + "namespace": null + }, + { + "name": "displaystyle", + "namespace": null + }, + { + "name": "dominant-baseline", + "namespace": null + }, + { + "name": "fill", + "namespace": null + }, + { + "name": "fill-opacity", + "namespace": null + }, + { + "name": "fill-rule", + "namespace": null + }, + { + "name": "font-family", + "namespace": null + }, + { + "name": "font-size", + "namespace": null + }, + { + "name": "font-size-adjust", + "namespace": null + }, + { + "name": "font-stretch", + "namespace": null + }, + { + "name": "font-style", + "namespace": null + }, + { + "name": "font-variant", + "namespace": null + }, + { + "name": "font-weight", + "namespace": null + }, + { + "name": "lang", + "namespace": null + }, + { + "name": "letter-spacing", + "namespace": null + }, + { + "name": "marker-end", + "namespace": null + }, + { + "name": "marker-mid", + "namespace": null + }, + { + "name": "marker-start", + "namespace": null + }, + { + "name": "mathbackground", + "namespace": null + }, + { + "name": "mathcolor", + "namespace": null + }, + { + "name": "mathsize", + "namespace": null + }, + { + "name": "opacity", + "namespace": null + }, + { + "name": "paint-order", + "namespace": null + }, + { + "name": "pointer-events", + "namespace": null + }, + { + "name": "scriptlevel", + "namespace": null + }, + { + "name": "shape-rendering", + "namespace": null + }, + { + "name": "stop-color", + "namespace": null + }, + { + "name": "stop-opacity", + "namespace": null + }, + { + "name": "stroke", + "namespace": null + }, + { + "name": "stroke-dasharray", + "namespace": null + }, + { + "name": "stroke-dashoffset", + "namespace": null + }, + { + "name": "stroke-linecap", + "namespace": null + }, + { + "name": "stroke-linejoin", + "namespace": null + }, + { + "name": "stroke-miterlimit", + "namespace": null + }, + { + "name": "stroke-opacity", + "namespace": null + }, + { + "name": "stroke-width", + "namespace": null + }, + { + "name": "text-anchor", + "namespace": null + }, + { + "name": "text-decoration", + "namespace": null + }, + { + "name": "text-overflow", + "namespace": null + }, + { + "name": "text-rendering", + "namespace": null + }, + { + "name": "title", + "namespace": null + }, + { + "name": "transform", + "namespace": null + }, + { + "name": "transform-origin", + "namespace": null + }, + { + "name": "unicode-bidi", + "namespace": null + }, + { + "name": "vector-effect", + "namespace": null + }, + { + "name": "visibility", + "namespace": null + }, + { + "name": "white-space", + "namespace": null + }, + { + "name": "word-spacing", + "namespace": null + }, + { + "name": "writing-mode", + "namespace": null + } + ], + "comments": false, + "dataAttributes": false +} +

                                    The built-in navigating URL attributes list is a list of pairs of a SanitizerElementNamespace and a SanitizerAttributeNamespace:

                                    From 0e2144f835bdbd33713bcd9da2780c146387223a Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Wed, 22 Apr 2026 11:44:15 +0100 Subject: [PATCH 19/35] Add intro h --- source | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/source b/source index 41ace5cf09e..ac80eae17bd 100644 --- a/source +++ b/source @@ -125641,6 +125641,8 @@ interface XMLSerializer {

                                    HTML sanitization

                                    +

                                    Introduction

                                    +

                                    Web applications often need to work with strings of HTML on the client side, perhaps as part of @@ -127190,7 +127192,8 @@ dictionary SanitizerConfig {

                                    Sanitization constants

                                    -

                                    The built-in safe baseline configuration is the result of parsing the following JSON string:

                                    +

                                    The built-in safe baseline configuration is the result of parsing the following JSON string:

                                    
 {
@@ -127317,7 +127320,8 @@ dictionary SanitizerConfig {
 }
                                    -

                                    The built-in safe default configuration is the result of parse a JSON string to an Infra value on the following JSON string:

                                    +

                                    The built-in safe default configuration is the result of parsing on the following JSON string:

                                    
 {

From 5112500d0e36d6ab15bbae374db46c4c588b0459 Mon Sep 17 00:00:00 2001
From: Noam Rosenthal 
Date: Wed, 22 Apr 2026 12:27:37 +0100
Subject: [PATCH 20/35] Use JSON also for the other built-ins

---
 source | 123 +++++++++++++++++++++++++++------------------------------
 1 file changed, 59 insertions(+), 64 deletions(-)

diff --git a/source b/source
index ac80eae17bd..163b13bd9b9 100644
--- a/source
+++ b/source
@@ -128682,73 +128682,68 @@ dictionary SanitizerConfig {
 }
                                    -

                                    The built-in navigating URL attributes list is a list of pairs of a - SanitizerElementNamespace and a SanitizerAttributeNamespace:

                                    +

                                    The built-in navigating URL attributes list is the result of parsing the following JSON string:

                                    -
                                      -

                                    • ({ name: "a", _namespace: HTML namespace - }, { name: "href", _namespace: null })

                                      • -

                                    • ({ name: "area", _namespace: HTML namespace - }, { name: "href", _namespace: null })

                                      • -

                                    • ({ name: "form", _namespace: HTML namespace - }, { name: "action", _namespace: null })

                                      • -

                                    • ({ name: "input", _namespace: HTML namespace - }, { name: "formaction", _namespace: null })

                                      • -

                                    • ({ name: "button", _namespace: HTML namespace - }, { name: "formaction", _namespace: null })

                                      • -
                                    + 
                                    
+[
+  [
+    { "name": "a", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "href", "namespace": null }
+  ],
+  [
+    { "name": "area", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "href", "namespace": null }
+  ],
+  [
+    { "name": "base", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "href", "namespace": null }
+  ],
+  [
+    { "name": "button", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "formaction", "namespace": null }
+  ],
+  [
+    { "name": "form", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "action", "namespace": null }
+  ],
+  [
+    { "name": "input", "namespace": "http://www.w3.org/1999/xhtml" },
+    { "name": "formaction", "namespace": null }
+  ],
+  [
+    { "name": "a", "namespace": "http://www.w3.org/2000/svg" },
+    { "name": "href", "namespace": null }
+  ],
+  [
+    { "name": "a", "namespace": "http://www.w3.org/2000/svg" },
+    { "name": "href", "namespace": "http://www.w3.org/1999/xlink" }
+  ]
+]
+
                                    -

                                    The built-in animating URL attributes list is a list of pairs of a - SanitizerElementNamespace and a SanitizerAttributeNamespace:

                                    -
                                      -

                                    • ({ name: "animate", _namespace: SVG namespace }, - { name: "href", _namespace: null })

                                      • -

                                    • ({ name: "animate", _namespace: SVG namespace }, - { name: "xlink:href", _namespace: - "http://www.w3.org/1999/xlink" })

                                      • -

                                    • ({ name: "animateMotion", _namespace: SVG namespace }, - { name: "href", _namespace: null })

                                      • -

                                    • ({ name: "animateMotion", _namespace: SVG namespace }, - { name: "xlink:href", _namespace: - "http://www.w3.org/1999/xlink" })

                                      • -

                                    • ({ name: "animateTransform", - _namespace: SVG - namespace }, { name: "href", - _namespace: null })

                                      • -

                                    • ({ name: "animateTransform", - _namespace: SVG - namespace }, { name: - "xlink:href", _namespace: - "http://www.w3.org/1999/xlink" })

                                      • -

                                    • ({ name: "set", _namespace: SVG namespace }, - { name: "href", _namespace: null })

                                      • -

                                    • ({ name: "set", _namespace: SVG namespace }, - { name: "xlink:href", _namespace: - "http://www.w3.org/1999/xlink" })

                                      • -
                                    +

                                    The built-in animating URL attributes list is the result of parse a JSON string to an Infra value on the following JSON + string:

                                    + + 
                                    
+[
+  [
+    { "name": "animate", "namespace": "http://www.w3.org/2000/svg" },
+    { "name": "attributeName", "namespace": null }
+  ],
+  [
+    { "name": "animateTransform", "namespace": "http://www.w3.org/2000/svg" },
+    { "name": "attributeName", "namespace": null }
+  ],
+  [
+    { "name": "set", "namespace": "http://www.w3.org/2000/svg" },
+    { "name": "attributeName", "namespace": null }
+  ]
+]
+
                                    +

                                    To remove an element From f40b92a7018e6f1ad50ad0e7f086194ba47cb957 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 11:11:09 +0100 Subject: [PATCH 21/35] Use linked tables instead of json --- source | 2251 ++++++++++++++++++-------------------------------------- 1 file changed, 697 insertions(+), 1554 deletions(-) diff --git a/source b/source index 163b13bd9b9..4250f24f11e 100644 --- a/source +++ b/source @@ -4531,11 +4531,50 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute

                                  3. MathML annotation-xml element
                                  4. MathML math element
                                  5. MathML merror element
                                    6. +
                                  6. MathML mfrac element
                                  7. MathML mi element
                                    8. +
                                  8. MathML mmultiscripts element
                                  9. MathML mn element
                                  10. MathML mo element
                                    11. +
                                  11. MathML mover element
                                    12. +
                                  12. MathML mpadded element
                                    13. +
                                  13. MathML mphantom element
                                    14. +
                                  14. MathML mprescripts element
                                    15. +
                                  15. MathML mroot element
                                    16. +
                                  16. MathML mrow element
                                  17. MathML ms element
                                    18. +
                                  18. MathML mspace element
                                    19. +
                                  19. MathML msqrt element
                                    20. +
                                  20. MathML mstyle element
                                    21. +
                                  21. MathML msub element
                                    22. +
                                  22. MathML msubsup element
                                    23. +
                                  23. MathML msup element
                                    24. +
                                  24. MathML mtable element
                                    25. +
                                  25. MathML mtd element
                                  26. MathML mtext element
                                    27. +
                                  27. MathML mtr element
                                    28. +
                                  28. MathML munder element
                                    29. +
                                  29. MathML munderover element
                                    30. +
                                  30. MathML semantics element
                                    31. +
                                  31. MathML accent attribute
                                    32. +
                                  32. MathML accentunder attribute
                                    33. +
                                  33. MathML columnspan attribute
                                    34. +
                                  34. MathML depth attribute
                                    35. +
                                  35. MathML fence attribute
                                    36. +
                                  36. MathML form attribute
                                    37. +
                                  37. MathML height attribute
                                    38. +
                                  38. MathML largeop attribute
                                    39. +
                                  39. MathML lspace attribute
                                    40. +
                                  40. MathML maxsize attribute
                                    41. +
                                  41. MathML minsize attribute
                                    42. +
                                  42. MathML movablelimits attribute
                                    43. +
                                  43. MathML rowspan attribute
                                    44. +
                                  44. MathML rspace attribute
                                    45. +
                                  45. MathML separator attribute
                                    46. +
                                  46. MathML stretchy attribute
                                    47. +
                                  47. MathML symmetric attribute
                                    48. +
                                  48. MathML voffset attribute
                                    49. +
                                  49. MathML width attribute
                                    50. @@ -4558,14 +4597,69 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
                                  50. SVGImageElement interface
                                  51. SVGScriptElement interface
                                  52. SVGSVGElement interface
                                    53. -
                                  53. SVG a element
                                    54. -
                                  54. SVG desc element
                                    55. -
                                  55. SVG foreignObject element
                                    56. -
                                  56. SVG image element
                                    57. -
                                  57. SVG script element
                                    58. -
                                  58. SVG svg element
                                    59. -
                                  59. SVG title element
                                    60. -
                                  60. SVG use element
                                    61. +
                                  61. SVG a element
                                    62. +
                                  62. SVG animate element
                                    63. +
                                  63. SVG animateTransform element
                                    64. +
                                  64. SVG circle element
                                    65. +
                                  65. SVG defs element
                                    66. +
                                  66. SVG desc element
                                    67. +
                                  67. SVG ellipse element
                                    68. +
                                  68. SVG foreignObject element
                                    69. +
                                  69. SVG g element
                                    70. +
                                  70. SVG image element
                                    71. +
                                  71. SVG line element
                                    72. +
                                  72. SVG marker element
                                    73. +
                                  73. SVG metadata element
                                    74. +
                                  74. The SVG path element
                                    75. +
                                  75. SVG polygon element
                                    76. +
                                  76. SVG polyline element
                                    77. +
                                  77. SVG rect element
                                    78. +
                                  78. SVG script element
                                    79. +
                                  79. SVG set element
                                    80. +
                                  80. SVG svg element
                                    81. +
                                  81. SVG text element
                                    82. +
                                  82. SVG textPath element
                                    83. +
                                  83. SVG title element
                                    84. +
                                  84. SVG tspan element
                                    85. +
                                  85. SVG use element
                                    86. +
                                  86. SVG action attribute
                                    87. +
                                  87. SVG attributeName attribute
                                    88. +
                                  88. SVG cx attribute
                                    89. +
                                  89. SVG cy attribute
                                    90. +
                                  90. SVG d attribute
                                    91. +
                                  91. SVG dx attribute
                                    92. +
                                  92. SVG dy attribute
                                    93. +
                                  93. SVG formaction attribute
                                    94. +
                                  94. SVG height attribute
                                    95. +
                                  95. SVG href attribute
                                    96. +
                                  96. SVG lengthAdjust attribute
                                    97. +
                                  97. SVG markerHeight attribute
                                    98. +
                                  98. SVG markerUnits attribute
                                    99. +
                                  99. SVG markerWidth attribute
                                    100. +
                                  100. SVG method attribute
                                    101. +
                                  101. SVG orient attribute
                                    102. +
                                  102. SVG path attribute
                                    103. +
                                  103. SVG pathLength attribute
                                    104. +
                                  104. SVG points attribute
                                    105. +
                                  105. SVG preserveAspectRatio attribute
                                    106. +
                                  106. SVG r attribute
                                    107. +
                                  107. SVG refX attribute
                                    108. +
                                  108. SVG refY attribute
                                    109. +
                                  109. SVG rotate attribute
                                    110. +
                                  110. SVG rx attribute
                                    111. +
                                  111. SVG ry attribute
                                    112. +
                                  112. SVG side attribute
                                    113. +
                                  113. SVG spacing attribute
                                    114. +
                                  114. SVG startOffset attribute
                                    115. +
                                  115. SVG textLength attribute
                                    116. +
                                  116. SVG viewBox attribute
                                    117. +
                                  117. SVG width attribute
                                    118. +
                                  118. SVG x attribute
                                    119. +
                                  119. SVG x1 attribute
                                    120. +
                                  120. SVG x2 attribute
                                    121. +
                                  121. SVG y attribute
                                    122. +
                                  122. SVG y1 attribute
                                    123. +
                                  123. SVG y2 attribute
                                  124. SVG text-rendering property
                                    125. @@ -127192,1557 +127286,606 @@ dictionary SanitizerConfig {

                                    Sanitization constants

                                    -

                                    The built-in safe baseline configuration is the result of parsing the following JSON string:

                                    +

                                    The built-in safe baseline configuration is a SanitizerConfig with its + removeElementscorresponding to the + following table:

                                    - 
                                    
-{
-  "removeElements": [
-    {
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "name": "embed"
-    },
-    {
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "name": "frame"
-    },
-    {
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "name": "iframe"
-    },
-    {
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "name": "object"
-    },
-    {
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "name": "script"
-    },
-    {
-      "namespace": "http://www.w3.org/2000/svg",
-      "name": "script"
-    },
-    {
-      "namespace": "http://www.w3.org/2000/svg",
-      "name": "use"
-    }
-  ],
-  "removeAttributes": [
-    "onafterprint",
-    "onauxclick",
-    "onbeforeinput",
-    "onbeforematch",
-    "onbeforeprint",
-    "onbeforeunload",
-    "onbeforetoggle",
-    "onblur",
-    "oncancel",
-    "oncanplay",
-    "oncanplaythrough",
-    "onchange",
-    "onclick",
-    "onclose",
-    "oncontextlost",
-    "oncontextmenu",
-    "oncontextrestored",
-    "oncopy",
-    "oncuechange",
-    "oncut",
-    "ondblclick",
-    "ondrag",
-    "ondragend",
-    "ondragenter",
-    "ondragleave",
-    "ondragover",
-    "ondragstart",
-    "ondrop",
-    "ondurationchange",
-    "onemptied",
-    "onended",
-    "onerror",
-    "onfocus",
-    "onformdata",
-    "onhashchange",
-    "oninput",
-    "oninvalid",
-    "onkeydown",
-    "onkeypress",
-    "onkeyup",
-    "onlanguagechange",
-    "onload",
-    "onloadeddata",
-    "onloadedmetadata",
-    "onloadstart",
-    "onmessage",
-    "onmessageerror",
-    "onmousedown",
-    "onmouseenter",
-    "onmouseleave",
-    "onmousemove",
-    "onmouseout",
-    "onmouseover",
-    "onmouseup",
-    "onoffline",
-    "ononline",
-    "onpagehide",
-    "onpagereveal",
-    "onpageshow",
-    "onpageswap",
-    "onpaste",
-    "onpause",
-    "onplay",
-    "onplaying",
-    "onpopstate",
-    "onprogress",
-    "onratechange",
-    "onreset",
-    "onresize",
-    "onrejectionhandled",
-    "onscroll",
-    "onscrollend",
-    "onsecuritypolicyviolation",
-    "onseeked",
-    "onseeking",
-    "onselect",
-    "onslotchange",
-    "onstalled",
-    "onstorage",
-    "onsubmit",
-    "onsuspend",
-    "ontimeupdate",
-    "ontoggle",
-    "onunhandledrejection",
-    "onunload",
-    "onvolumechange",
-    "onwaiting",
-    "onwheel"
-  ]
-}
-
                                    +
      + + + + + + + + + + +
      Name + Namespace +
      embed + HTML +
      frame + HTML +
      iframe + HTML +
      object + HTML +
      script + HTML +
      script + SVG +
      use + SVG +
      -

      The built-in safe default configuration is the result of parsing on the following JSON string:

      +

      and the following removeAttributes + list:

      - 
      
-{
-  "elements": [
-    {
-      "name": "math",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "merror",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mfrac",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mi",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mmultiscripts",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mn",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mo",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "fence",
-          "namespace": null
-        },
-        {
-          "name": "form",
-          "namespace": null
-        },
-        {
-          "name": "largeop",
-          "namespace": null
-        },
-        {
-          "name": "lspace",
-          "namespace": null
-        },
-        {
-          "name": "maxsize",
-          "namespace": null
-        },
-        {
-          "name": "minsize",
-          "namespace": null
-        },
-        {
-          "name": "movablelimits",
-          "namespace": null
-        },
-        {
-          "name": "rspace",
-          "namespace": null
-        },
-        {
-          "name": "separator",
-          "namespace": null
-        },
-        {
-          "name": "stretchy",
-          "namespace": null
-        },
-        {
-          "name": "symmetric",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "mover",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "accent",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "mpadded",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "depth",
-          "namespace": null
-        },
-        {
-          "name": "height",
-          "namespace": null
-        },
-        {
-          "name": "lspace",
-          "namespace": null
-        },
-        {
-          "name": "voffset",
-          "namespace": null
-        },
-        {
-          "name": "width",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "mphantom",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mprescripts",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mroot",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mrow",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "ms",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mspace",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "depth",
-          "namespace": null
-        },
-        {
-          "name": "height",
-          "namespace": null
-        },
-        {
-          "name": "width",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "msqrt",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mstyle",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "msub",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "msubsup",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "msup",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mtable",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mtd",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "columnspan",
-          "namespace": null
-        },
-        {
-          "name": "rowspan",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "mtext",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "mtr",
+  
        
+   
      • onafterprint
        • 
+   
      • onauxclick
        • 
+   
      • onbeforeinput
        • 
+   
      • onbeforematch
        • 
+   
      • onbeforeprint
        • 
+   
      • onbeforeunload
        • 
+   
      • onbeforetoggle
        • 
+   
      • onblur
        • 
+   
      • oncancel
        • 
+   
      • oncanplay
        • 
+   
      • oncanplaythrough
        • 
+   
      • onchange
        • 
+   
      • onclick
        • 
+   
      • onclose
        • 
+   
      • oncontextlost
        • 
+   
      • oncontextmenu
        • 
+   
      • oncontextrestored
        • 
+   
      • oncopy
        • 
+   
      • oncuechange
        • 
+   
      • oncut
        • 
+   
      • ondblclick
        • 
+   
      • ondrag
        • 
+   
      • ondragend
        • 
+   
      • ondragenter
        • 
+   
      • ondragleave
        • 
+   
      • ondragover
        • 
+   
      • ondragstart
        • 
+   
      • ondrop
        • 
+   
      • ondurationchange
        • 
+   
      • onemptied
        • 
+   
      • onended
        • 
+   
      • onerror
        • 
+   
      • onfocus
        • 
+   
      • onformdata
        • 
+   
      • onhashchange
        • 
+   
      • oninput
        • 
+   
      • oninvalid
        • 
+   
      • onkeydown
        • 
+   
      • onkeypress
        • 
+   
      • onkeyup
        • 
+   
      • onlanguagechange
        • 
+   
      • onload
        • 
+   
      • onloadeddata
        • 
+   
      • onloadedmetadata
        • 
+   
      • onloadstart
        • 
+   
      • onmessage
        • 
+   
      • onmessageerror
        • 
+   
      • onmousedown
        • 
+   
      • onmouseenter
        • 
+   
      • onmouseleave
        • 
+   
      • onmousemove
        • 
+   
      • onmouseout
        • 
+   
      • onmouseover
        • 
+   
      • onmouseup
        • 
+   
      • onoffline
        • 
+   
      • ononline
        • 
+   
      • onpagehide
        • 
+   
      • onpagereveal
        • 
+   
      • onpageshow
        • 
+   
      • onpagesswap
        • 
+   
      • onpaste
        • 
+   
      • onpause
        • 
+   
      • onplay
        • 
+   
      • onplaying
        • 
+   
      • onpopstate
        • 
+   
      • onprogress
        • 
+   
      • onratechange
        • 
+   
      • onreset
        • 
+   
      • onresize
        • 
+   
      • onrejectionhandled
        • 
+   
      • onscroll
        • 
+   
      • onscrollend
        • 
+   
      • onsecuritypolicyviolation
        • 
+   
      • onseeked
        • 
+   
      • onseeking
        • 
+   
      • onselect
        • 
+   
      • onslotchange
        • 
+   
      • onstalled
        • 
+   
      • onstorage
        • 
+   
      • onsubmit
        • 
+   
      • onsuspend
        • 
+   
      • ontimeupdate
        • 
+   
      • ontoggle
        • 
+   
      • onunhandledrejection
        • 
+   
      • onunload
        • 
+   
      • onvolumechange
        • 
+   
      • onwaiting
        • 
+   
      • onwheel
        • 
+  
      
 
-"namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "munder",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "accentunder",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "munderover",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": [
-        {
-          "name": "accent",
-          "namespace": null
-        },
-        {
-          "name": "accentunder",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "semantics",
-      "namespace": "http://www.w3.org/1998/Math/MathML",
-      "attributes": []
-    },
-    {
-      "name": "a",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "href",
-          "namespace": null
-        },
-        {
-          "name": "hreflang",
-          "namespace": null
-        },
-        {
-          "name": "type",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "abbr",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "address",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "article",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "aside",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "b",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "bdi",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "bdo",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "blockquote",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "cite",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "body",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "br",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "caption",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "cite",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "code",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "col",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "span",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "colgroup",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "span",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "data",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "value",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "dd",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "del",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "cite",
-          "namespace": null
-        },
-        {
-          "name": "datetime",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "dfn",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "div",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "dl",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "dt",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "em",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "figcaption",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "figure",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "footer",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "h1",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
+  
      The built-in safe default configuration is a SanitizerConfig with its
+  elements list corresponding to the following
+  table:
      
 
-"name": "h2",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "h3",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "h4",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "h5",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "h6",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "head",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "header",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "hgroup",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "hr",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "html",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "i",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "ins",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "cite",
-          "namespace": null
-        },
-        {
-          "name": "datetime",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "kbd",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "li",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "value",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "main",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "mark",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "menu",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "nav",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "ol",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "reversed",
-          "namespace": null
-        },
-        {
-          "name": "start",
-          "namespace": null
-        },
-        {
-          "name": "type",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "p",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "pre",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "q",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "rp",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "rt",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "ruby",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "s",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "samp",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "search",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "section",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "small",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "span",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "strong",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "sub",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "sup",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "table",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "tbody",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "td",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-
-"name": "colspan",
-          "namespace": null
-        },
-        {
-          "name": "headers",
-          "namespace": null
-        },
-        {
-          "name": "rowspan",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "tfoot",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "th",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "abbr",
-          "namespace": null
-        },
-        {
-          "name": "colspan",
-          "namespace": null
-        },
-        {
-          "name": "headers",
-          "namespace": null
-        },
-        {
-          "name": "rowspan",
-          "namespace": null
-        },
-        {
-          "name": "scope",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "thead",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "time",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": [
-        {
-          "name": "datetime",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "title",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "tr",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "u",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "ul",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "var",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "wbr",
-      "namespace": "http://www.w3.org/1999/xhtml",
-      "attributes": []
-    },
-    {
-      "name": "a",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "href",
-          "namespace": null
-        },
-        {
-          "name": "hreflang",
-          "namespace": null
-        },
-        {
-          "name": "type",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "circle",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "cx",
-          "namespace": null
-        },
-        {
-          "name": "cy",
-          "namespace": null
-        },
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "r",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "defs",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": []
-    },
-    {
-      "name": "desc",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": []
-    },
-    {
-      "name": "ellipse",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "cx",
-          "namespace": null
-        },
-        {
-          "name": "cy",
-          "namespace": null
-        },
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "rx",
-          "namespace": null
-        },
-        {
-          "name": "ry",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "foreignObject",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "height",
-          "namespace": null
-        },
-        {
-          "name": "width",
-          "namespace": null
-        },
-        {
-          "name": "x",
-          "namespace": null
-        },
-        {
-          "name": "y",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "g",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": []
-    },
-    {
-      "name": "line",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "x1",
-          "namespace": null
-        },
-        {
-          "name": "x2",
-          "namespace": null
-        },
-        {
-          "name": "y1",
-          "namespace": null
-        },
-        {
-          "name": "y2",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "marker",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "markerHeight",
-          "namespace": null
-        },
-        {
-          "name": "markerUnits",
-
-"namespace": null
-        },
-        {
-          "name": "markerWidth",
-          "namespace": null
-        },
-        {
-          "name": "orient",
-          "namespace": null
-        },
-        {
-          "name": "preserveAspectRatio",
-          "namespace": null
-        },
-        {
-          "name": "refX",
-          "namespace": null
-        },
-        {
-          "name": "refY",
-          "namespace": null
-        },
-        {
-          "name": "viewBox",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "metadata",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": []
-    },
-    {
-      "name": "path",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "d",
-          "namespace": null
-        },
-        {
-          "name": "pathLength",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "polygon",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "points",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "polyline",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "points",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "rect",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "height",
-          "namespace": null
-        },
-        {
-          "name": "pathLength",
-          "namespace": null
-        },
-        {
-          "name": "rx",
-          "namespace": null
-        },
-        {
-          "name": "ry",
-          "namespace": null
-        },
-        {
-          "name": "width",
-          "namespace": null
-        },
-        {
-          "name": "x",
-          "namespace": null
-        },
-        {
-          "name": "y",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "svg",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "height",
-          "namespace": null
-        },
-        {
-          "name": "preserveAspectRatio",
-          "namespace": null
-        },
-        {
-          "name": "viewBox",
-          "namespace": null
-        },
-        {
-          "name": "width",
-          "namespace": null
-        },
-        {
-          "name": "x",
-          "namespace": null
-        },
-        {
-          "name": "y",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "text",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "dx",
-          "namespace": null
-        },
-        {
-          "name": "dy",
-          "namespace": null
-        },
-        {
-          "name": "lengthAdjust",
-          "namespace": null
-        },
-        {
-          "name": "rotate",
-          "namespace": null
-        },
-        {
-          "name": "textLength",
-          "namespace": null
-        },
-        {
-          "name": "x",
-          "namespace": null
-        },
-        {
-          "name": "y",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "textPath",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "lengthAdjust",
-          "namespace": null
-        },
-        {
-          "name": "method",
-          "namespace": null
-        },
-        {
-          "name": "path",
-          "namespace": null
-        },
-        {
-          "name": "side",
-          "namespace": null
-        },
-        {
-          "name": "spacing",
-          "namespace": null
-        },
-        {
-          "name": "startOffset",
-          "namespace": null
-        },
-        {
-          "name": "textLength",
-          "namespace": null
-        }
-      ]
-    },
-    {
-      "name": "title",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": []
-    },
-    {
-      "name": "tspan",
-      "namespace": "http://www.w3.org/2000/svg",
-      "attributes": [
-        {
-          "name": "dx",
-          "namespace": null
-        },
-        {
-          "name": "dy",
-          "namespace": null
-        },
-        {
-          "name": "lengthAdjust",
-          "namespace": null
-        },
-        {
-          "name": "rotate",
-          "namespace": null
-        },
-
-{
-          "name": "textLength",
-          "namespace": null
-        },
-        {
-          "name": "x",
-          "namespace": null
-        },
-        {
-          "name": "y",
-          "namespace": null
-        }
-      ]
-    }
-  ],
-  "processingInstructions": [],
-  "attributes": [
-    {
-      "name": "alignment-baseline",
-      "namespace": null
-    },
-    {
-      "name": "baseline-shift",
-      "namespace": null
-    },
-    {
-      "name": "clip-path",
-      "namespace": null
-    },
-    {
-      "name": "clip-rule",
-      "namespace": null
-    },
-    {
-      "name": "color",
-      "namespace": null
-    },
-    {
-      "name": "color-interpolation",
-      "namespace": null
-    },
-    {
-      "name": "cursor",
-      "namespace": null
-    },
-    {
-      "name": "dir",
-      "namespace": null
-    },
-    {
-      "name": "direction",
-      "namespace": null
-    },
-    {
-      "name": "display",
-      "namespace": null
-    },
-    {
-      "name": "displaystyle",
-      "namespace": null
-    },
-    {
-      "name": "dominant-baseline",
-      "namespace": null
-    },
-    {
-      "name": "fill",
-      "namespace": null
-    },
-    {
-      "name": "fill-opacity",
-      "namespace": null
-    },
-    {
-      "name": "fill-rule",
-      "namespace": null
-    },
-    {
-      "name": "font-family",
-      "namespace": null
-    },
-    {
-      "name": "font-size",
-      "namespace": null
-    },
-    {
-      "name": "font-size-adjust",
-      "namespace": null
-    },
-    {
-      "name": "font-stretch",
-      "namespace": null
-    },
-    {
-      "name": "font-style",
-      "namespace": null
-    },
-    {
-      "name": "font-variant",
-      "namespace": null
-    },
-    {
-      "name": "font-weight",
-      "namespace": null
-    },
-    {
-      "name": "lang",
-      "namespace": null
-    },
-    {
-      "name": "letter-spacing",
-      "namespace": null
-    },
-    {
-      "name": "marker-end",
-      "namespace": null
-    },
-    {
-      "name": "marker-mid",
-      "namespace": null
-    },
-    {
-      "name": "marker-start",
-      "namespace": null
-    },
-    {
-      "name": "mathbackground",
-      "namespace": null
-    },
-    {
-      "name": "mathcolor",
-      "namespace": null
-    },
-    {
-      "name": "mathsize",
-      "namespace": null
-    },
-    {
-      "name": "opacity",
-      "namespace": null
-    },
-    {
-      "name": "paint-order",
-      "namespace": null
-    },
-    {
-      "name": "pointer-events",
-      "namespace": null
-    },
-    {
-      "name": "scriptlevel",
-      "namespace": null
-    },
-    {
-      "name": "shape-rendering",
-      "namespace": null
-    },
-    {
-      "name": "stop-color",
-      "namespace": null
-    },
-    {
-      "name": "stop-opacity",
-      "namespace": null
-    },
-    {
-      "name": "stroke",
-      "namespace": null
-    },
-    {
-      "name": "stroke-dasharray",
-      "namespace": null
-    },
-    {
-      "name": "stroke-dashoffset",
-      "namespace": null
-    },
-    {
-      "name": "stroke-linecap",
-      "namespace": null
-    },
-    {
-      "name": "stroke-linejoin",
-      "namespace": null
-    },
-    {
-      "name": "stroke-miterlimit",
-      "namespace": null
-    },
-    {
-      "name": "stroke-opacity",
-      "namespace": null
-    },
-    {
-      "name": "stroke-width",
-      "namespace": null
-    },
-    {
-      "name": "text-anchor",
-      "namespace": null
-    },
-    {
-      "name": "text-decoration",
-      "namespace": null
-    },
-    {
-      "name": "text-overflow",
-      "namespace": null
-    },
-    {
-      "name": "text-rendering",
-      "namespace": null
-    },
-    {
-      "name": "title",
-      "namespace": null
-    },
-    {
-      "name": "transform",
-      "namespace": null
-    },
-    {
-      "name": "transform-origin",
-      "namespace": null
-    },
-    {
-      "name": "unicode-bidi",
-      "namespace": null
-    },
-    {
-      "name": "vector-effect",
-      "namespace": null
-    },
-    {
-      "name": "visibility",
-      "namespace": null
-    },
-    {
-      "name": "white-space",
-      "namespace": null
-    },
-    {
-      "name": "word-spacing",
-      "namespace": null
-    },
-    {
-      "name": "writing-mode",
-      "namespace": null
-    }
-  ],
-  "comments": false,
-  "dataAttributes": false
-}
-
      - -

      The built-in navigating URL attributes list is the result of parsing the following JSON string:

      - - 
      
-[
-  [
-    { "name": "a", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "href", "namespace": null }
-  ],
-  [
-    { "name": "area", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "href", "namespace": null }
-  ],
-  [
-    { "name": "base", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "href", "namespace": null }
-  ],
-  [
-    { "name": "button", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "formaction", "namespace": null }
-  ],
-  [
-    { "name": "form", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "action", "namespace": null }
-  ],
-  [
-    { "name": "input", "namespace": "http://www.w3.org/1999/xhtml" },
-    { "name": "formaction", "namespace": null }
-  ],
-  [
-    { "name": "a", "namespace": "http://www.w3.org/2000/svg" },
-    { "name": "href", "namespace": null }
-  ],
-  [
-    { "name": "a", "namespace": "http://www.w3.org/2000/svg" },
-    { "name": "href", "namespace": "http://www.w3.org/1999/xlink" }
-  ]
-]
-
      - - -

      The built-in animating URL attributes list is the result of parse a JSON string to an Infra value on the following JSON - string:

      - - 
      
-[
-  [
-    { "name": "animate", "namespace": "http://www.w3.org/2000/svg" },
-    { "name": "attributeName", "namespace": null }
-  ],
-  [
-    { "name": "animateTransform", "namespace": "http://www.w3.org/2000/svg" },
-    { "name": "attributeName", "namespace": null }
-  ],
-  [
-    { "name": "set", "namespace": "http://www.w3.org/2000/svg" },
-    { "name": "attributeName", "namespace": null }
-  ]
-]
-
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Element + Namespace + Allowed Attributes +
      math + MathML +
      merror + MathML +
      mfrac + MathML +
      mi + MathML +
      mmultiscripts + MathML +
      mn + MathML +
      mo + MathML + fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric +
      mover + MathML + accent +
      mpadded + MathML + depth, height, lspace, voffset, width +
      mphantom + MathML +
      mprescripts + MathML +
      mroot + MathML +
      mrow + MathML +
      ms + MathML +
      mspace + MathML + depth, height, width +
      msqrt + MathML +
      mstyle + MathML +
      msub + MathML +
      msubsup + MathML +
      msup + MathML +
      mtable + MathML +
      mtd + MathML + columnspan, rowspan +
      mtext + MathML +
      mtr + MathML +
      munder + MathML + accentunder +
      munderover + MathML + accent, accentunder +
      semantics + MathML +
      a + HTML + href, hreflang, type +
      abbr + HTML +
      address + HTML +
      article + HTML +
      aside + HTML +
      b + HTML +
      bdi + HTML +
      bdo + HTML +
      blockquote + HTML + cite +
      body + HTML +
      br + HTML +
      caption + HTML +
      cite + HTML +
      code + HTML +
      col + HTML + span +
      colgroup + HTML + span +
      data + HTML + value +
      dd + HTML +
      del + HTML + cite, datetime +
      dfn + HTML +
      div + HTML +
      dl + HTML +
      dt + HTML +
      em + HTML +
      figcaption + HTML +
      figure + HTML +
      footer + HTML +
      h1 + HTML +
      h2 + HTML +
      h3 + HTML +
      h4 + HTML +
      h5 + HTML +
      h6 + HTML +
      head + HTML +
      header + HTML +
      hgroup + HTML +
      hr + HTML +
      html + HTML +
      i + HTML +
      ins + HTML + cite, datetime +
      kbd + HTML +
      li + HTML + value +
      main + HTML +
      mark + HTML +
      menu + HTML +
      nav + HTML +
      ol + HTML + reversed, start, type +
      p + HTML +
      pre + HTML +
      q + HTML +
      rp + HTML +
      rt + HTML +
      ruby + HTML +
      s + HTML +
      samp + HTML +
      search + HTML +
      section + HTML +
      small + HTML +
      span + HTML +
      strong + HTML +
      sub + HTML +
      sup + HTML +
      table + HTML +
      tbody + HTML +
      td + HTML + colspan, headers, rowspan +
      tfoot + HTML +
      th + HTML + abbr, colspan, headers, rowspan, scope +
      thead + HTML +
      time + HTML + datetime +
      title + HTML +
      tr + HTML +
      u + HTML +
      ul + HTML +
      var + HTML +
      wbr + HTML +
      a + SVG + href, hreflang, type +
      circle + SVG + cx, cy, pathLength, r +
      defs + SVG +
      desc + SVG +
      ellipse + SVG + cx, cy, pathLength, rx, ry +
      foreignObject + SVG + height, width, x, y +
      g + SVG +
      line + SVG + pathLength, x1, x2, y1, y2 +
      marker + SVG + markerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox +
      metadata + SVG +
      path + SVG + d, pathLength +
      polygon + SVG + pathLength, points +
      polyline + SVG + pathLength, points +
      rect + SVG + height, pathLength, rx, ry, width, x, y +
      svg + SVG + height, preserveAspectRatio, viewBox, width, x, y +
      text + SVG + dx, dy, lengthAdjust, rotate, textLength, x, y +
      textPath + SVG + lengthAdjust, method, path, side, spacing, startOffset, textLength +
      title + SVG +
      tspan + SVG + dx, dy, lengthAdjust, rotate, textLength, x, y +
      + +

      The built-in navigating URL attributes list corresponds to theh following table:

      + + + + + + + + + + + + +
      Element + Element Namespace + Attribute + Attribute Namespace +
      a + HTML + href, hreflang, type +
      area + HTML + href +
      base + HTML + href +
      button + HTML + formaction +
      form + HTML + action +
      input + HTML + formaction +
      a + SVG + href + XLink namespace +
      + + +

      The built-in animating URL attributes list corrsponds to the following table:

      + + + + + + + + +
      Element + Element Namespace + Attribute +
      animate + SVG + attributeName +
      animateTransform + SVG + attributeName +
      set + SVG + attributeName +
      From 65cf74cebb8fe94c7fc4f2c879b56b6a774db40e Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 14:09:52 +0100 Subject: [PATCH 22/35] refs --- source | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source b/source index 4250f24f11e..b164260439e 100644 --- a/source +++ b/source @@ -127847,15 +127847,15 @@ dictionary SanitizerConfig { button HTML - formaction + formaction form HTML - action + action input HTML - formaction + formaction a SVG From a4cc0fbed5f2064eddacafa9367f8bfcbc19d102 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 14:30:28 +0100 Subject: [PATCH 23/35] nits --- source | 137 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 91 insertions(+), 46 deletions(-) diff --git a/source b/source index b164260439e..c4829b4ae9f 100644 --- a/source +++ b/source @@ -127287,7 +127287,7 @@ dictionary SanitizerConfig {

      Sanitization constants

      The built-in safe baseline configuration is a SanitizerConfig with its - removeElementscorresponding to the + removeElements corresponding to the following table:

      @@ -127382,7 +127382,7 @@ dictionary SanitizerConfig {
    5. onpagehide
    6. onpagereveal
    7. onpageshow
      8. -
    8. onpagesswap
      9. +
    9. onpageswap
    10. onpaste
    11. onpause
    12. onplay
      13. @@ -127427,21 +127427,27 @@ dictionary SanitizerConfig { + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      math MathML +
      merror MathML +
      mfrac MathML +
      mi MathML +
      mmultiscripts MathML +
      mn MathML +
      mo MathML @@ -127457,18 +127463,23 @@ dictionary SanitizerConfig {
      mphantom MathML +
      mprescripts MathML +
      mroot MathML +
      mrow MathML +
      ms MathML +
      mspace MathML @@ -127476,21 +127487,27 @@ dictionary SanitizerConfig {
      msqrt MathML +
      mstyle MathML +
      msub MathML +
      msubsup MathML +
      msup MathML +
      mtable MathML +
      mtd MathML @@ -127498,9 +127515,11 @@ dictionary SanitizerConfig {
      mtext MathML +
      mtr MathML +
      munder MathML @@ -127512,6 +127531,7 @@ dictionary SanitizerConfig {
      semantics MathML +
      a HTML @@ -127519,43 +127539,56 @@ dictionary SanitizerConfig {
      abbr HTML +
      address HTML +
      article HTML +
      aside HTML +
      b HTML +
      bdi HTML +
      bdo HTML +
      blockquote HTML cite +
      body HTML +
      br HTML +
      caption HTML +
      cite HTML +
      code HTML +
      col HTML @@ -127571,6 +127604,7 @@ dictionary SanitizerConfig {
      dd HTML +
      del HTML @@ -127578,178 +127612,189 @@ dictionary SanitizerConfig {
      dfn HTML +
      div HTML +
      dl HTML +
      dt HTML +
      em HTML +
      figcaption HTML +
      figure HTML +
      footer HTML +
      h1 HTML +
      h2 HTML +
      h3 HTML +
      h4 HTML -
      h5 HTML -
      h6 HTML -
      head HTML -
      header HTML -
      hgroup HTML -
      hr HTML -
      html HTML -
      i HTML -
      ins HTML cite, datetime
      kbd HTML -
      li HTML value
      main HTML -
      mark HTML -
      menu HTML -
      nav HTML -
      ol HTML reversed, start, type
      p HTML -
      pre HTML -
      q HTML -
      rp HTML -
      rt HTML -
      ruby HTML -
      s HTML -
      samp HTML -
      search HTML -
      section HTML -
      small HTML -
      span HTML -
      strong HTML -
      sub HTML -
      sup HTML -
      table HTML -
      tbody HTML -
      td HTML colspan, headers, rowspan
      tfoot HTML -
      th HTML abbr, colspan, headers, rowspan, scope
      thead HTML -
      time HTML datetime
      title HTML -
      tr HTML -
      u HTML -
      ul HTML -
      var HTML -
      wbr HTML -
      a SVG href, hreflang, type @@ -127760,10 +127805,10 @@ dictionary SanitizerConfig {
      defs SVG -
      desc SVG -
      ellipse SVG cx, cy, pathLength, rx, ry @@ -127774,7 +127819,7 @@ dictionary SanitizerConfig {
      g SVG -
      line SVG pathLength, x1, x2, y1, y2 @@ -127785,7 +127830,7 @@ dictionary SanitizerConfig {
      metadata SVG -
      path SVG d, pathLength @@ -127816,7 +127861,7 @@ dictionary SanitizerConfig {
      title SVG -
      tspan SVG dx, dy, lengthAdjust, rotate, textLength, x, y From bfa078f42d3d8f413a78a7b6b9229396197f107a Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 14:32:04 +0100 Subject: [PATCH 24/35] nits --- source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source b/source index c4829b4ae9f..dd95a547447 100644 --- a/source +++ b/source @@ -127382,7 +127382,7 @@ dictionary SanitizerConfig {
    13. onpagehide
    14. onpagereveal
    15. onpageshow
      16. -
    16. onpageswap
      17. +
    17. onpageswap
    18. onpaste
    19. onpause
    20. onplay
      21. From 75524bf87da7152f4b2944506f8f565727c1e479 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 16:11:36 +0100 Subject: [PATCH 25/35] Cleanup algorithms --- source | 249 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 125 insertions(+), 124 deletions(-) diff --git a/source b/source index dd95a547447..3358c638545 100644 --- a/source +++ b/source @@ -126580,7 +126580,7 @@ dictionary SanitizerConfig {

      1. Set element["attributes"] to the - result of remove duplicates from element["remove duplicates from element["attributes"].

      2. Set element["SanitizerConfig {

        1. Set element["removeAttributes"] - to the result of remove duplicates from element["remove duplicates from element["removeAttributes"].

        2. Set element["SanitizerConfig {

          1. Set element["attributes"] to the - result of remove duplicates from element["remove duplicates from element["attributes"].

          2. Set element["SanitizerConfig {

            1. Set element["removeAttributes"] - to the result of remove duplicates from element["remove duplicates from element["removeAttributes"].

            2. Set element["SanitizerConfig {

      		Namespace Allowed Attributes
      math - MathML - -
      merror - MathML - -
      mfrac - MathML - -
      mi - MathML - -
      mmultiscripts - MathML - -
      mn - MathML - -
      mo - MathML - fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric -
      mover - MathML - accent -
      mpadded - MathML - depth, height, lspace, voffset, width -
      mphantom - MathML - -
      mprescripts - MathML - -
      mroot - MathML - -
      mrow - MathML - -
      ms - MathML - -
      mspace - MathML - depth, height, width -
      msqrt - MathML - -
      mstyle - MathML - -
      msub - MathML - -
      msubsup - MathML - -
      msup - MathML - -
      mtable - MathML - -
      mtd - MathML - columnspan, rowspan -
      mtext - MathML - -
      mtr - MathML - -
      munder - MathML - accentunder -
      munderover - MathML - accent, accentunder -
      semantics - MathML -
      a HTML @@ -127794,7 +127686,116 @@ dictionary SanitizerConfig {
      wbr HTML -
      +
      math + MathML + +
      merror + MathML + +
      mfrac + MathML + +
      mi + MathML + +
      mmultiscripts + MathML + +
      mn + MathML + +
      mo + MathML + fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric +
      mover + MathML + accent +
      mpadded + MathML + depth, height, lspace, voffset, width +
      mphantom + MathML + +
      mprescripts + MathML + +
      mroot + MathML + +
      mrow + MathML + +
      ms + MathML + +
      mspace + MathML + depth, height, width +
      msqrt + MathML + +
      mstyle + MathML + +
      msub + MathML + +
      msubsup + MathML + +
      msup + MathML + +
      mtable + MathML + +
      mtd + MathML + columnspan, rowspan +
      mtext + MathML + +
      mtr + MathML + +
      munder + MathML + accentunder +
      munderover + MathML + accent, accentunder +
      semantics + MathML + +
      a SVG href, hreflang, type @@ -127867,7 +127868,7 @@ dictionary SanitizerConfig { dx, dy, lengthAdjust, rotate, textLength, x, y
      -

      The built-in navigating URL attributes list corresponds to theh following table:

      +

      The built-in navigating URL attributes list corresponds to the following table:

      @@ -127881,26 +127882,32 @@ dictionary SanitizerConfig { + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      a HTML href, hreflang, type +
      area HTML href +
      base HTML href +
      button HTML formaction +
      form HTML action +
      input HTML formaction +
      a SVG @@ -128568,14 +128575,14 @@ dictionary SanitizerConfig {
      -

      To remove duplicates from a list list, run the following steps:

      +

      To remove duplicates from a list list, run the following steps:

      1. Let result be an empty list.

      2. For each item of list:

          -

        1. If result does not contain +

        2. If result does not contain item, then append item to result.

        @@ -128600,7 +128607,7 @@ dictionary SanitizerConfig {

        A list A is a subset of a list - B if A contains everyh + B if A contains every item in B.

        @@ -128613,7 +128620,7 @@ dictionary SanitizerConfig {

      3. For each item of A:

          -

        1. If B does not contain item, +

        2. If B does not contain item, then append item to result.

        4. @@ -128622,12 +128629,6 @@ dictionary SanitizerConfig {
      -
      -

      Two lists A and B are equal if A - is a subset of B and B is a - subset of A.

      -
      -

      The built-in non-replaceable elements list contains elements that must not be replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree. It is the following list of SanitizerElementNamespace dictionaries:

      From 6e2ec7d0cd23025da82b7ac58c8acc88a41b5122 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 16:20:46 +0100 Subject: [PATCH 26/35] Clean up algos --- source | 146 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 95 insertions(+), 51 deletions(-) diff --git a/source b/source index 3358c638545..84010e32340 100644 --- a/source +++ b/source @@ -126580,7 +126580,8 @@ dictionary SanitizerConfig {

      1. Set element["attributes"] to the - result of remove duplicates from element["remove + duplicates from element["attributes"].

      2. Set element["SanitizerConfig {

        1. Set element["removeAttributes"] - to the result of remove duplicates from element["remove + duplicates from element["removeAttributes"].

        2. Set element["SanitizerConfig {

          1. Set element["attributes"] to the - result of remove duplicates from element["remove + duplicates from element["attributes"].

          2. Set element["SanitizerConfig {

            1. Set element["removeAttributes"] - to the result of remove duplicates from element["remove + duplicates from element["removeAttributes"].

            2. Set element["SanitizerConfig {

      h4 HTML -
      +
      h5 HTML -
      +
      h6 HTML -
      +
      head HTML -
      +
      header HTML -
      +
      hgroup HTML -
      +
      hr HTML -
      +
      html HTML -
      +
      i HTML -
      +
      ins HTML cite, datetime
      kbd HTML -
      +
      li HTML value
      main HTML -
      +
      mark HTML -
      +
      menu HTML -
      +
      nav HTML -
      +
      ol HTML reversed, start, type
      p HTML -
      +
      pre HTML -
      +
      q HTML -
      +
      rp HTML -
      +
      rt HTML -
      +
      ruby HTML -
      +
      s HTML -
      +
      samp HTML -
      +
      search HTML -
      +
      section HTML -
      +
      small HTML -
      +
      span HTML -
      +
      strong HTML -
      +
      sub HTML -
      +
      sup HTML -
      +
      table HTML -
      +
      tbody HTML -
      +
      td HTML colspan, headers, rowspan
      tfoot HTML -
      +
      th HTML abbr, colspan, headers, rowspan, scope
      thead HTML -
      +
      time HTML datetime
      title HTML -
      +
      tr HTML -
      +
      u HTML -
      +
      ul HTML -
      +
      var HTML -
      +
      wbr HTML - +
      math MathML @@ -128575,16 +128617,17 @@ dictionary SanitizerConfig {
      -

      To remove duplicates from a list list, run the following steps:

      +

      To remove duplicates from a + list list, run the following steps:

      1. Let result be an empty list.

      2. For each item of list:

          -

        1. If result does not contain - item, then append item to - result.

          2. +

        2. If result does not contain item, then append + item to result.

        3. @@ -128601,8 +128644,8 @@ dictionary SanitizerConfig {

        The intersection of sanitizer config lists A and B containing SanitizerElement or - SanitizerAttribute items is a list containing all items that are present - in both A and B.

        + SanitizerAttribute items is a list containing> all items that are present in both A and B.

        @@ -128620,8 +128663,9 @@ dictionary SanitizerConfig {

      3. For each item of A:

          -

        1. If B does not contain item, - then append item to result.

          2. +

        2. If B does not contain + item, then append item to + result.

        4. From ce6c325c188dfc41f14db4481c7de14980ade8ed Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 23 Apr 2026 16:23:34 +0100 Subject: [PATCH 27/35] Clean up algos --- source | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source b/source index 84010e32340..53785350c59 100644 --- a/source +++ b/source @@ -126607,7 +126607,7 @@ dictionary SanitizerConfig {

        1. Set element["removeAttributes"] - to the result of remove + to the result of removing duplicates from element["removeAttributes"].

          2. @@ -126633,7 +126633,7 @@ dictionary SanitizerConfig {

          1. Set element["attributes"] to the - result of remove + result of removing duplicates from element["attributes"].

            2. @@ -126666,13 +126666,13 @@ dictionary SanitizerConfig {

            1. Set element["removeAttributes"] - to the result of remove + to the result of removing duplicates from element["removeAttributes"].

            2. Set element["removeAttributes"] - to the set/difference of + to the difference of element["removeAttributes"] and configuration["SanitizerConfig {

            3. If configuration["elements"] does not contain element, then:

              + data-x="dom-SanitizerConfig-elements">elements              "] does not contain element, then:

              1. Append element to From b53cce1020354e1a69281f56aabf8c62c468a04f Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 28 Apr 2026 13:52:57 +0100 Subject: [PATCH 28/35] nits --- source | 1694 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 846 insertions(+), 848 deletions(-) diff --git a/source b/source index 53785350c59..cc3ed54b3d1 100644 --- a/source +++ b/source @@ -125880,111 +125880,6 @@ interface Sanitizer {

        -
        -

        The allowProcessingInstruction(pi) - method steps are:

        - -
          -

        1. Let configuration be this's configuration.

          2. - -

        2. Set pi to the result of canonicalize a sanitizer processing - instruction with pi.

          3. - -

        3. If configuration["processingInstructions"] exists, then:

          - -
            -

          1. If configuration["processingInstructions"] contains pi, then return - false.

            2. - -

          2. Append pi to - configuration["processingInstructions"].

            3. - -

          3. Return true.

            4. -
          -
          4. - -
        4. -

          Otherwise:

          - -
            -
          1. -

            If configuration["removeProcessingInstructions"] - contains pi, - then:

            - -
              -

            1. Remove - pi from configuration["removeProcessingInstructions"].

              2. - -

            2. Return true.

              3. -
            -
            2. - -

          2. Return false.

            3. -
          -
          5. -
        -
        - -
        -

        The removeProcessingInstruction(pi) - method steps are:

        - -
          -

        1. Let configuration be this's configuration.

          2. - -

        2. Set pi to the result of canonicalize a sanitizer processing - instruction with pi.

          3. - -

        3. If configuration["processingInstructions"] exists, then:

          - -
            -

          1. If configuration["processingInstructions"] contains pi, then:

            - -
              -

            1. Remove - pi from configuration["processingInstructions"].

              2. - -

            2. Return true.

              3. -
            -
            2. - -

          2. Return false.

            3. -
          -
          4. - -

        4. Otherwise:

          - -
            -

          1. If configuration["removeProcessingInstructions"] - contains pi, then - return false.

            2. - -

          2. Append pi to - configuration["removeProcessingInstructions"].

            3. - -

          3. Return true.

            4. -
          -
          5. -
        -
        -

        To set a configuration, given a dictionary configuration, a boolean allowCommentsPIsAndDataAttributes, and a Sanitizer @@ -126135,19 +126030,18 @@ dictionary SanitizerElementNamespaceWithAttributes : SanitizerAttribute> removeAttributes; }; -typedef (DOMString or SanitizerElementNamespace) SanitizerElement; -typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes; +dictionary SanitizerAttributeNamespace { + required DOMString name; + DOMString? _namespace = null; +}; dictionary SanitizerProcessingInstruction { required DOMString target; }; +typedef (DOMString or SanitizerElementNamespace) SanitizerElement; +typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes; typedef (DOMString or SanitizerProcessingInstruction) SanitizerPI; - -dictionary SanitizerAttributeNamespace { - required DOMString name; - DOMString? _namespace = null; -}; typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute; dictionary SanitizerConfig { @@ -126943,6 +126837,111 @@ dictionary SanitizerConfig {

      +
      +

      The allowProcessingInstruction(pi) + method steps are:

      + +
        +

      1. Let configuration be this's configuration.

        2. + +

      2. Set pi to the result of canonicalize a sanitizer processing + instruction with pi.

        3. + +

      3. If configuration["processingInstructions"] exists, then:

        + +
          +

        1. If configuration["processingInstructions"] contains pi, then return + false.

          2. + +

        2. Append pi to + configuration["processingInstructions"].

          3. + +

        3. Return true.

          4. +
        +
        4. + +
      4. +

        Otherwise:

        + +
          +
        1. +

          If configuration["removeProcessingInstructions"] + contains pi, + then:

          + +
            +

          1. Remove + pi from configuration["removeProcessingInstructions"].

            2. + +

          2. Return true.

            3. +
          +
          2. + +

        2. Return false.

          3. +
        +
        5. +
      +
      + +
      +

      The removeProcessingInstruction(pi) + method steps are:

      + +
        +

      1. Let configuration be this's configuration.

        2. + +

      2. Set pi to the result of canonicalize a sanitizer processing + instruction with pi.

        3. + +

      3. If configuration["processingInstructions"] exists, then:

        + +
          +

        1. If configuration["processingInstructions"] contains pi, then:

          + +
            +

          1. Remove + pi from configuration["processingInstructions"].

            2. + +

          2. Return true.

            3. +
          +
          2. + +

        2. Return false.

          3. +
        +
        4. + +

      4. Otherwise:

        + +
          +

        1. If configuration["removeProcessingInstructions"] + contains pi, then + return false.

          2. + +

        2. Append pi to + configuration["removeProcessingInstructions"].

          3. + +

        3. Return true.

          4. +
        +
        5. +
      +
      +

      The removeUnsafe() method steps are to update @@ -127288,722 +127287,28 @@ dictionary SanitizerConfig {

      -

      Sanitization constants

      +
      +

      To remove an element + element from a SanitizerConfig configuration:

      -

      The built-in safe baseline configuration is a SanitizerConfig with its - removeElements corresponding to the - following table:

      +
        +

      1. Assert: configuration is valid.

        2. - - - - - - - - - - - -
        Name - Namespace -
        embed - HTML -
        frame - HTML -
        iframe - HTML -
        object - HTML -
        script - HTML -
        script - SVG -
        use - SVG -
        +

      2. Set element to the result of canonicalize a sanitizer element with + element.

        3. -

        and the following removeAttributes - list:

        +

      3. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

        4. -
          -
        • onafterprint
          • -
        • onauxclick
          • -
        • onbeforeinput
          • -
        • onbeforematch
          • -
        • onbeforeprint
          • -
        • onbeforeunload
          • -
        • onbeforetoggle
          • -
        • onblur
          • -
        • oncancel
          • -
        • oncanplay
          • -
        • oncanplaythrough
          • -
        • onchange
          • -
        • onclick
          • -
        • onclose
          • -
        • oncontextlost
          • -
        • oncontextmenu
          • -
        • oncontextrestored
          • -
        • oncopy
          • -
        • oncuechange
          • -
        • oncut
          • -
        • ondblclick
          • -
        • ondrag
          • -
        • ondragend
          • -
        • ondragenter
          • -
        • ondragleave
          • -
        • ondragover
          • -
        • ondragstart
          • -
        • ondrop
          • -
        • ondurationchange
          • -
        • onemptied
          • -
        • onended
          • -
        • onerror
          • -
        • onfocus
          • -
        • onformdata
          • -
        • onhashchange
          • -
        • oninput
          • -
        • oninvalid
          • -
        • onkeydown
          • -
        • onkeypress
          • -
        • onkeyup
          • -
        • onlanguagechange
          • -
        • onload
          • -
        • onloadeddata
          • -
        • onloadedmetadata
          • -
        • onloadstart
          • -
        • onmessage
          • -
        • onmessageerror
          • -
        • onmousedown
          • -
        • onmouseenter
          • -
        • onmouseleave
          • -
        • onmousemove
          • -
        • onmouseout
          • -
        • onmouseover
          • -
        • onmouseup
          • -
        • onoffline
          • -
        • ononline
          • -
        • onpagehide
          • -
        • onpagereveal
          • -
        • onpageshow
          • -
        • onpageswap
          • -
        • onpaste
          • -
        • onpause
          • -
        • onplay
          • -
        • onplaying
          • -
        • onpopstate
          • -
        • onprogress
          • -
        • onratechange
          • -
        • onreset
          • -
        • onresize
          • -
        • onrejectionhandled
          • -
        • onscroll
          • -
        • onscrollend
          • -
        • onsecuritypolicyviolation
          • -
        • onseeked
          • -
        • onseeking
          • -
        • onselect
          • -
        • onslotchange
          • -
        • onstalled
          • -
        • onstorage
          • -
        • onsubmit
          • -
        • onsuspend
          • -
        • ontimeupdate
          • -
        • ontoggle
          • -
        • onunhandledrejection
          • -
        • onunload
          • -
        • onvolumechange
          • -
        • onwaiting
          • -
        • onwheel
          • -
        +

      4. If configuration["elements"] + exists, then:

        -

        The built-in safe default configuration is a SanitizerConfig with its - elements list corresponding to the following - table:

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Element - Namespace - Allowed Attributes -
        a - HTML - href, hreflang, type -
        abbr - HTML - -
        address - HTML - -
        article - HTML - -
        aside - HTML - -
        b - HTML - -
        bdi - HTML - -
        bdo - HTML - -
        blockquote - HTML - cite - -
        body - HTML - -
        br - HTML - -
        caption - HTML - -
        cite - HTML - -
        code - HTML - -
        col - HTML - span -
        colgroup - HTML - span -
        data - HTML - value -
        dd - HTML - -
        del - HTML - cite, datetime -
        dfn - HTML - -
        div - HTML - -
        dl - HTML - -
        dt - HTML - -
        em - HTML - -
        figcaption - HTML - -
        figure - HTML - -
        footer - HTML - -
        h1 - HTML - -
        h2 - HTML - -
        h3 - HTML - -
        h4 - HTML - -
        h5 - HTML - -
        h6 - HTML - -
        head - HTML - -
        header - HTML - -
        hgroup - HTML - -
        hr - HTML - -
        html - HTML - -
        i - HTML - -
        ins - HTML - cite, datetime -
        kbd - HTML - -
        li - HTML - value -
        main - HTML - -
        mark - HTML - -
        menu - HTML - -
        nav - HTML - -
        ol - HTML - reversed, start, type -
        p - HTML - -
        pre - HTML - -
        q - HTML - -
        rp - HTML - -
        rt - HTML - -
        ruby - HTML - -
        s - HTML - -
        samp - HTML - -
        search - HTML - -
        section - HTML - -
        small - HTML - -
        span - HTML - -
        strong - HTML - -
        sub - HTML - -
        sup - HTML - -
        table - HTML - -
        tbody - HTML - -
        td - HTML - colspan, headers, rowspan -
        tfoot - HTML - -
        th - HTML - abbr, colspan, headers, rowspan, scope -
        thead - HTML - -
        time - HTML - datetime -
        title - HTML - -
        tr - HTML - -
        u - HTML - -
        ul - HTML - -
        var - HTML - -
        wbr - HTML - -
        math - MathML - -
        merror - MathML - -
        mfrac - MathML - -
        mi - MathML - -
        mmultiscripts - MathML - -
        mn - MathML - -
        mo - MathML - fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric -
        mover - MathML - accent -
        mpadded - MathML - depth, height, lspace, voffset, width -
        mphantom - MathML - -
        mprescripts - MathML - -
        mroot - MathML - -
        mrow - MathML - -
        ms - MathML - -
        mspace - MathML - depth, height, width -
        msqrt - MathML - -
        mstyle - MathML - -
        msub - MathML - -
        msubsup - MathML - -
        msup - MathML - -
        mtable - MathML - -
        mtd - MathML - columnspan, rowspan -
        mtext - MathML - -
        mtr - MathML - -
        munder - MathML - accentunder -
        munderover - MathML - accent, accentunder -
        semantics - MathML - -
        a - SVG - href, hreflang, type -
        circle - SVG - cx, cy, pathLength, r -
        defs - SVG -
        desc - SVG -
        ellipse - SVG - cx, cy, pathLength, rx, ry -
        foreignObject - SVG - height, width, x, y -
        g - SVG -
        line - SVG - pathLength, x1, x2, y1, y2 -
        marker - SVG - markerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox -
        metadata - SVG -
        path - SVG - d, pathLength -
        polygon - SVG - pathLength, points -
        polyline - SVG - pathLength, points -
        rect - SVG - height, pathLength, rx, ry, width, x, y -
        svg - SVG - height, preserveAspectRatio, viewBox, width, x, y -
        text - SVG - dx, dy, lengthAdjust, rotate, textLength, x, y -
        textPath - SVG - lengthAdjust, method, path, side, spacing, startOffset, textLength -
        title - SVG -
        tspan - SVG - dx, dy, lengthAdjust, rotate, textLength, x, y -
        - -

        The built-in navigating URL attributes list corresponds to the following table:

        - - - - - - - - - - - - -
        Element - Element Namespace - Attribute - Attribute Namespace -
        a - HTML - href, hreflang, type - -
        area - HTML - href - -
        base - HTML - href - -
        button - HTML - formaction - -
        form - HTML - action - -
        input - HTML - formaction - -
        a - SVG - href - XLink namespace -
        - - -

        The built-in animating URL attributes list corrsponds to the following table:

        - - - - - - - - -
        Element - Element Namespace - Attribute -
        animate - SVG - attributeName -
        animateTransform - SVG - attributeName -
        set - SVG - attributeName -
        - - -
        -

        To remove an element - element from a SanitizerConfig configuration:

        - -
          -

        1. Assert: configuration is valid.

          2. - -

        2. Set element to the result of canonicalize a sanitizer element with - element.

          3. - -

        3. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

          4. - -

        4. If configuration["elements"] - exists, then:

          - -
            -

          1. If configuration["elements"] contains element, then:

            +
              +

            1. If configuration["elements"] contains element, then:

              1. Remove element from @@ -128025,7 +127330,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerConfig-removeElements">removeElements"] contains element, then return modified.

                2. -

              2. Append element to +

              3. Add element to configuration["removeElements"].

                4. @@ -128134,7 +127439,7 @@ dictionary SanitizerConfig {
              2. -

            2. Append attribute to +

            3. Add attribute to configuration["removeAttributes"].

              4. @@ -128243,7 +127548,7 @@ dictionary SanitizerConfig {
        -

        To SanitizerConfig/add a name to a list list:

        +

        To add a name to a list list:

        1. If list sanitizer config list contains name, then @@ -128315,7 +127620,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"]:

            -

          1. Append the result of canonicalize a +

          2. Add the result of canonicalize a sanitizer attribute with attribute to attributes.

          2. @@ -128338,7 +127643,7 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"]:

            -

          1. Append the result of canonicalize a +

          2. Add the result of canonicalize a sanitizer attribute with attribute to attributes.

          @@ -128648,30 +127953,723 @@ dictionary SanitizerConfig { contains">containing> all items that are present in both A and B.

        -
        -

        A list A is a subset of a list - B if A contains every - item in B.

        -
        +
        +

        A list A is a subset of a list + B if A contains every + item in B.

        +
        + +
        +

        To compute the difference of two lists + A and B:

        + +
          +

        1. Let result be an empty list.

          2. + +

        2. For each item of A:

          +
            +

          1. If B does not contain + item, then append item to + result.

            2. +
          +
          3. + +

        3. Return result.

          4. +
        +
        + +

        Sanitization constants

        + +

        The built-in safe baseline configuration is a SanitizerConfig with its + removeElements corresponding to the + following table:

        + + + + + + + + + + + + +
        Name + Namespace +
        embed + HTML +
        frame + HTML +
        iframe + HTML +
        object + HTML +
        script + HTML +
        script + SVG +
        use + SVG +
        + +

        and the following removeAttributes + list:

        + +
          +
        • onafterprint
          • +
        • onauxclick
          • +
        • onbeforeinput
          • +
        • onbeforematch
          • +
        • onbeforeprint
          • +
        • onbeforeunload
          • +
        • onbeforetoggle
          • +
        • onblur
          • +
        • oncancel
          • +
        • oncanplay
          • +
        • oncanplaythrough
          • +
        • onchange
          • +
        • onclick
          • +
        • onclose
          • +
        • oncontextlost
          • +
        • oncontextmenu
          • +
        • oncontextrestored
          • +
        • oncopy
          • +
        • oncuechange
          • +
        • oncut
          • +
        • ondblclick
          • +
        • ondrag
          • +
        • ondragend
          • +
        • ondragenter
          • +
        • ondragleave
          • +
        • ondragover
          • +
        • ondragstart
          • +
        • ondrop
          • +
        • ondurationchange
          • +
        • onemptied
          • +
        • onended
          • +
        • onerror
          • +
        • onfocus
          • +
        • onformdata
          • +
        • onhashchange
          • +
        • oninput
          • +
        • oninvalid
          • +
        • onkeydown
          • +
        • onkeypress
          • +
        • onkeyup
          • +
        • onlanguagechange
          • +
        • onload
          • +
        • onloadeddata
          • +
        • onloadedmetadata
          • +
        • onloadstart
          • +
        • onmessage
          • +
        • onmessageerror
          • +
        • onmousedown
          • +
        • onmouseenter
          • +
        • onmouseleave
          • +
        • onmousemove
          • +
        • onmouseout
          • +
        • onmouseover
          • +
        • onmouseup
          • +
        • onoffline
          • +
        • ononline
          • +
        • onpagehide
          • +
        • onpagereveal
          • +
        • onpageshow
          • +
        • onpageswap
          • +
        • onpaste
          • +
        • onpause
          • +
        • onplay
          • +
        • onplaying
          • +
        • onpopstate
          • +
        • onprogress
          • +
        • onratechange
          • +
        • onreset
          • +
        • onresize
          • +
        • onrejectionhandled
          • +
        • onscroll
          • +
        • onscrollend
          • +
        • onsecuritypolicyviolation
          • +
        • onseeked
          • +
        • onseeking
          • +
        • onselect
          • +
        • onslotchange
          • +
        • onstalled
          • +
        • onstorage
          • +
        • onsubmit
          • +
        • onsuspend
          • +
        • ontimeupdate
          • +
        • ontoggle
          • +
        • onunhandledrejection
          • +
        • onunload
          • +
        • onvolumechange
          • +
        • onwaiting
          • +
        • onwheel
          • +
        + +

        The built-in safe default configuration is a SanitizerConfig with its + elements list corresponding to the following + table:

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Element + Namespace + Allowed Attributes +
        a + HTML + href, hreflang, type +
        abbr + HTML + +
        address + HTML + +
        article + HTML + +
        aside + HTML + +
        b + HTML + +
        bdi + HTML + +
        bdo + HTML + +
        blockquote + HTML + cite + +
        body + HTML + +
        br + HTML + +
        caption + HTML + +
        cite + HTML + +
        code + HTML + +
        col + HTML + span +
        colgroup + HTML + span +
        data + HTML + value +
        dd + HTML + +
        del + HTML + cite, datetime +
        dfn + HTML + +
        div + HTML + +
        dl + HTML + +
        dt + HTML + +
        em + HTML + +
        figcaption + HTML + +
        figure + HTML + +
        footer + HTML + +
        h1 + HTML + +
        h2 + HTML + +
        h3 + HTML + +
        h4 + HTML + +
        h5 + HTML + +
        h6 + HTML + +
        head + HTML + +
        header + HTML + +
        hgroup + HTML + +
        hr + HTML + +
        html + HTML + +
        i + HTML + +
        ins + HTML + cite, datetime +
        kbd + HTML + +
        li + HTML + value +
        main + HTML + +
        mark + HTML + +
        menu + HTML + +
        nav + HTML + +
        ol + HTML + reversed, start, type +
        p + HTML + +
        pre + HTML + +
        q + HTML + +
        rp + HTML + +
        rt + HTML + +
        ruby + HTML + +
        s + HTML + +
        samp + HTML + +
        search + HTML + +
        section + HTML + +
        small + HTML + +
        span + HTML + +
        strong + HTML + +
        sub + HTML + +
        sup + HTML + +
        table + HTML + +
        tbody + HTML + +
        td + HTML + colspan, headers, rowspan +
        tfoot + HTML + +
        th + HTML + abbr, colspan, headers, rowspan, scope +
        thead + HTML + +
        time + HTML + datetime +
        title + HTML + +
        tr + HTML + +
        u + HTML + +
        ul + HTML + +
        var + HTML + +
        wbr + HTML + +
        math + MathML + +
        merror + MathML + +
        mfrac + MathML + +
        mi + MathML + +
        mmultiscripts + MathML + +
        mn + MathML + +
        mo + MathML + fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric +
        mover + MathML + accent +
        mpadded + MathML + depth, height, lspace, voffset, width +
        mphantom + MathML + +
        mprescripts + MathML + +
        mroot + MathML + +
        mrow + MathML + +
        ms + MathML + +
        mspace + MathML + depth, height, width +
        msqrt + MathML + +
        mstyle + MathML + +
        msub + MathML + +
        msubsup + MathML + +
        msup + MathML + +
        mtable + MathML + +
        mtd + MathML + columnspan, rowspan +
        mtext + MathML + +
        mtr + MathML + +
        munder + MathML + accentunder +
        munderover + MathML + accent, accentunder +
        semantics + MathML + +
        a + SVG + href, hreflang, type +
        circle + SVG + cx, cy, pathLength, r +
        defs + SVG +
        desc + SVG +
        ellipse + SVG + cx, cy, pathLength, rx, ry +
        foreignObject + SVG + height, width, x, y +
        g + SVG +
        line + SVG + pathLength, x1, x2, y1, y2 +
        marker + SVG + markerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox +
        metadata + SVG +
        path + SVG + d, pathLength +
        polygon + SVG + pathLength, points +
        polyline + SVG + pathLength, points +
        rect + SVG + height, pathLength, rx, ry, width, x, y +
        svg + SVG + height, preserveAspectRatio, viewBox, width, x, y +
        text + SVG + dx, dy, lengthAdjust, rotate, textLength, x, y +
        textPath + SVG + lengthAdjust, method, path, side, spacing, startOffset, textLength +
        title + SVG +
        tspan + SVG + dx, dy, lengthAdjust, rotate, textLength, x, y +
        + +

        The built-in navigating URL attributes list corresponds to the following table:

        -
        -

        To compute the difference of two lists - A and B:

        + + + + + + + + + + + +
        Element + Element Namespace + Attribute + Attribute Namespace +
        a + HTML + href, hreflang, type + +
        area + HTML + href + +
        base + HTML + href + +
        button + HTML + formaction + +
        form + HTML + action + +
        input + HTML + formaction + +
        a + SVG + href + XLink namespace +
        -
          -

        1. Let result be an empty list.

          2. -

        2. For each item of A:

          -
            -

          1. If B does not contain - item, then append item to - result.

            2. -
          -
          3. +

          The built-in animating URL attributes list corrsponds to the following table:

          -

        3. Return result.

          4. -
        -
        + + + + + + + +
        Element + Element Namespace + Attribute +
        animate + SVG + attributeName +
        animateTransform + SVG + attributeName +
        set + SVG + attributeName +

        The built-in non-replaceable elements list contains elements that must not be replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree. From 1e065df7b62f46e8a32171a6bc192b23ea602af8 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 28 Apr 2026 14:06:15 +0100 Subject: [PATCH 29/35] nits --- source | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/source b/source index cc3ed54b3d1..16f92f1eb03 100644 --- a/source +++ b/source @@ -127526,10 +127526,11 @@ dictionary SanitizerConfig {

      -

      To sanitizer config list contains, given an item item and a list - list:

      +

      To check if a list contains + item:

        -

      1. For each entry of list:

        +
      2. +

        For each entry of list:

        1. If item has a target member, and entry @@ -127538,8 +127539,8 @@ dictionary SanitizerConfig {

        2. Otherwise, if item's name member is equal to entry's name member and item's - _namespace member is equal to - entry's _namespace + namespace member is equal to + entry's namespace member, then return true.

        3. @@ -127548,7 +127549,8 @@ dictionary SanitizerConfig {
      -

      To add a name to a list list:

      +

      To add a name to a list + list:

      1. If list sanitizer config list contains name, then @@ -127620,8 +127622,9 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-attributes">attributes"]:

          -

        1. Add the result of canonicalize a - sanitizer attribute with attribute to attributes.

          2. +

        2. Add the result of + canonicalize a sanitizer attribute with attribute to + attributes.

        2. @@ -127643,8 +127646,9 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespaceWithAttributes-removeAttributes">removeAttributes"]:

          -

        1. Add the result of canonicalize a - sanitizer attribute with attribute to attributes.

          2. +

        2. Add the result of + canonicalize a sanitizer attribute with attribute to + attributes.

        From 4679acfc35f6d30c68051e0e5d0a4081cb4403b0 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 28 Apr 2026 14:11:44 +0100 Subject: [PATCH 30/35] secpriv --- source | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/source b/source index 16f92f1eb03..dab88ffb65f 100644 --- a/source +++ b/source @@ -128693,6 +128693,64 @@ dictionary SanitizerConfig { }

        +

        Security Considerations

        + + + + The Sanitizer API is intended to prevent DOM-based cross-site scripting by traversing a supplied + HTML content and removing elements and attributes according to a configuration. The specified API + is designed to not support the construction of a Sanitizer object that leaves script-capable markup in and + doing so would be a bug in the threat model. That being said, there are security issues which the + correct usage of the Sanitizer API will not be able to protect against and the scenarios will be + laid out in the following sections. + +
        Server-Side Reflected and Stored XSS
        + + + + The Sanitizer API operates solely in the DOM and adds a capability to traverse and filter an + existing DocumentFragment. The Sanitizer does not address server-side reflected or stored XSS. + +
        DOM clobbering
        + + + + DOM clobbering describes an attack in which malicious HTML confuses an application by naming + elements through id or name attributes such that properties like children of an HTML element in + the DOM are overshadowed by the malicious content. The Sanitizer API does not protect DOM + clobbering attacks in its default state, but can be configured to remove id and name attributes. + +
        XSS with Script gadgets
        + + Script gadgets are a technique in which an attacker uses existing application code from popular + JavaScript libraries to cause their own code to execute. This is often done by injecting + innocent-looking code or seemingly inert DOM nodes that is only parsed and interpreted by a + framework which then performs the execution of JavaScript based on that input. + + The Sanitizer API can not prevent these attacks, but requires page authors to explicitly allow + unknown elements in general, and authors must additionally explicitly configure unknown attributes + and elements and markup that is known to be widely used for templating and framework-specific + code, like data- and slot attributes and elements like slot and template. We believe that + these restrictions are not exhaustive and encourage page authors to examine their third party + libraries for this behavior. + +
        Mutated XSS
        + + Mutated XSS or mXSS describes an attack based on parser context mismatches when parsing an HTML + snippet without the correct context. In particular, when a parsed HTML fragment has been + serialized to a string, the string is not guaranteed to be parsed and interpreted exactly the same + when inserted into a different parent element. An example for carrying out such an attack is by + relying on the change of parsing behavior for foreign content or mis-nested tags. The Sanitizer + API offers only functions that turn a string into a node tree. The context is supplied implicitly + by all sanitizer functions: Element.setHTML() uses the current element; Document.parseHTML() + creates a new document. Therefore Sanitizer API is not directly affected by mutated XSS. If a + developer were to retrieve a sanitized node tree as a string, e.g. via .innerHTML, and to then + parse it again then mutated XSS may occur. We discourage this practice. If processing or passing + of HTML as a string should be necessary after all, then any string should be considered untrusted + and should be sanitized (again) when inserting it into the DOM. In other words, a sanitized and + then serialized HTML tree can no longer be considered as sanitized. A more complete treatment of + mXSS can be found in [[MXSS]]. +

        Timers

        The setTimeout() and Date: Tue, 28 Apr 2026 14:21:47 +0100 Subject: [PATCH 31/35] Add mXSS biblio --- source | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/source b/source index dab88ffb65f..c70019841f8 100644 --- a/source +++ b/source @@ -128699,19 +128699,20 @@ dictionary SanitizerConfig { The Sanitizer API is intended to prevent DOM-based cross-site scripting by traversing a supplied HTML content and removing elements and attributes according to a configuration. The specified API - is designed to not support the construction of a Sanitizer object that leaves script-capable markup in and - doing so would be a bug in the threat model. That being said, there are security issues which the - correct usage of the Sanitizer API will not be able to protect against and the scenarios will be - laid out in the following sections. + is designed to not support the construction of a Sanitizer object that leaves script-capable + markup in and doing so would be a bug in the threat model. That being said, there are security + issues which the correct usage of the Sanitizer API will not be able to protect against and the + scenarios will be laid out in the following sections. -

        Server-Side Reflected and Stored XSS
        +
        Server-Side Reflected and Stored XSS
        The Sanitizer API operates solely in the DOM and adds a capability to traverse and filter an - existing DocumentFragment. The Sanitizer does not address server-side reflected or stored XSS. + existing DocumentFragment. The Sanitizer does not address server-side reflected or + stored XSS. -
        DOM clobbering
        +
        DOM clobbering
        @@ -128720,7 +128721,7 @@ dictionary SanitizerConfig { the DOM are overshadowed by the malicious content. The Sanitizer API does not protect DOM clobbering attacks in its default state, but can be configured to remove id and name attributes. -
        XSS with Script gadgets
        +
        XSS with Script gadgets
        Script gadgets are a technique in which an attacker uses existing application code from popular JavaScript libraries to cause their own code to execute. This is often done by injecting @@ -128730,11 +128731,11 @@ dictionary SanitizerConfig { The Sanitizer API can not prevent these attacks, but requires page authors to explicitly allow unknown elements in general, and authors must additionally explicitly configure unknown attributes and elements and markup that is known to be widely used for templating and framework-specific - code, like data- and slot attributes and elements like slot and template. We believe that - these restrictions are not exhaustive and encourage page authors to examine their third party - libraries for this behavior. + code, like data- and slot attributes and elements like slot and + template. We believe that these restrictions are not exhaustive and encourage page + authors to examine their third party libraries for this behavior. -
        Mutated XSS
        +
        Mutated XSS
        Mutated XSS or mXSS describes an attack based on parser context mismatches when parsing an HTML snippet without the correct context. In particular, when a parsed HTML fragment has been @@ -128749,7 +128750,7 @@ dictionary SanitizerConfig { of HTML as a string should be necessary after all, then any string should be considered untrusted and should be sanitized (again) when inserting it into the DOM. In other words, a sanitized and then serialized HTML tree can no longer be considered as sanitized. A more complete treatment of - mXSS can be found in [[MXSS]]. + mXSS can be found in MXSS.

        Timers

        @@ -160214,6 +160215,9 @@ INSERT INTERFACES HERE
        [MULTIPLEBUFFERING]
        (Non-normative) Multiple buffering. Wikipedia.
        +
        [MXSS]
        +
        mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations, M. Heiderich, J. Schwenk, T. Frosch, J. Magazinius, and E. Z. Yang. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS '13), Berlin, Germany, 2013.
        +
        [NAVIGATIONTIMING]
        Navigation Timing, Y. Weiss. W3C.
        From a34855f50d8393e7ba89925b7d2170445dcd2a14 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Wed, 29 Apr 2026 09:58:59 +0100 Subject: [PATCH 32/35] wip --- source | 151 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 78 insertions(+), 73 deletions(-) diff --git a/source b/source index c70019841f8..9220242e756 100644 --- a/source +++ b/source @@ -124979,7 +124979,7 @@ enum DOMParserSupportedType {
      -

      Unsafe HTML parsing methods

      +

      HTML parsing methods

      element.setHTMLUnsafe(html, options)
      @@ -124987,7 +124987,8 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the - HTML parser.

      + HTML parser. If the options dictionary contains a "sanitizer" member, + it is used to sanitize the parsed fragment before it is inserted into element.

      shadowRoot.setHTMLUnsafe(html, options)
      @@ -124995,7 +124996,24 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser.

      + data-x="concept-DocumentFragment-host">host provides context for the HTML parser. If the options dictionary contains a "sanitizer" member, + it is used to sanitize the parsed fragment before it is inserted into shadowRoot.

      +
      + +
      element.setHTML(html, options)
      + +
      +

      Parses html using the HTML parser with options options, and replaces + the children of element with the result. element provides context for the + HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      +
      + +
      shadowRoot.setHTML(html, options)
      + +
      +

      Parses html using the HTML parser with options options, and replaces + the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      doc = Document.parseHTMLUnsafe(html, options)
      @@ -125007,10 +125025,24 @@ enum DOMParserSupportedType {

      Note that script elements are not evaluated during parsing, and the resulting document's encoding will always be UTF-8. The document's URL will be - about:blank.

      + about:blank. If the options dictionary contains a "sanitizer" member, + it is used to sanitize the resulting DOM.

      + + +
      +

      Parses html using the HTML parser with options options, and replaces + the children of the element or shadow root with the result.

      +
      + +
      doc = Document.parseHTML(html, options)
      +
      +

      Parses html using the HTML parser with options options, and returns a + new Document containing the result. The resulting document is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      + +

      These methods perform no sanitization to remove potentially-dangerous elements and attributes like script or event handler content attributes.

      @@ -125155,33 +125187,6 @@ enum DOMParserSupportedType { - - -

      Safe HTML parsing methods

      - -
      -
      element.setHTML(html, options)
      -
      shadowRoot.setHTML(html, options)
      -
      -

      Parses html using the HTML parser with options options, and replaces - the children of the element or shadow root with the result, which is then sanitized.

      -
      - -
      doc = Document.parseHTML(html, options)
      -
      -

      Parses html using the HTML parser with options options, and returns a - new Document containing the result, which is then sanitized.

      -
      -
      - -
      - -
      -
      - -
      - -

      HTML serialization methods

      @@ -126290,9 +126295,7 @@ dictionary SanitizerConfig { -

      Processing model

      - - +

      The get() method @@ -126404,42 +126407,6 @@ dictionary SanitizerConfig {

      -
      -

      To compare sanitizer items itemA and itemB:

      - -
        -

      1. Let namespaceA be itemA["_namespace"].

        - -

      2. Let namespaceB be itemB["_namespace"].

        - -

      3. If namespaceA is null, then:

        -
          -

        1. If namespaceB is not null, then return true.

          2. -
        -
        4. - -
      4. -

        Otherwise:

        -
          -

        1. If namespaceB member is null, then return false.

          2. - -

        2. If namespaceA is code unit less than namespaceB, then - return true.

          3. - -

        3. If namespaceA is not namespaceB, then return false.

          4. -
        -
        5. - -

      5. If itemA["name"] is - code unit less than itemA["name"], return true.

        6. - -

      6. Return false.

        7. -
      -
      -

      The allowElement(element) method steps @@ -127525,6 +127492,43 @@ dictionary SanitizerConfig {

      + +
      +

      To compare sanitizer items itemA and itemB:

      + +
        +

      1. Let namespaceA be itemA["_namespace"].

        + +

      2. Let namespaceB be itemB["_namespace"].

        + +

      3. If namespaceA is null, then:

        +
          +

        1. If namespaceB is not null, then return true.

          2. +
        +
        4. + +
      4. +

        Otherwise:

        +
          +

        1. If namespaceB member is null, then return false.

          2. + +

        2. If namespaceA is code unit less than namespaceB, then + return true.

          3. + +

        3. If namespaceA is not namespaceB, then return false.

          4. +
        +
        5. + +

      5. If itemA["name"] is + code unit less than itemA["name"], return true.

        6. + +

      6. Return false.

        7. +
      +
      +

      To check if a list contains item:

      @@ -128692,8 +128696,9 @@ dictionary SanitizerConfig { data-x="dom-SanitizerElementNamespace-namespace">_namespace      : MathML namespace }

      +
      -

      Security Considerations

      +

      Security considerations

      @@ -128704,7 +128709,7 @@ dictionary SanitizerConfig { issues which the correct usage of the Sanitizer API will not be able to protect against and the scenarios will be laid out in the following sections. -
      Server-Side Reflected and Stored XSS
      +
      Server-side reflected and Ssored XSS
      @@ -128721,7 +128726,7 @@ dictionary SanitizerConfig { the DOM are overshadowed by the malicious content. The Sanitizer API does not protect DOM clobbering attacks in its default state, but can be configured to remove id and name attributes. -
      XSS with Script gadgets
      +
      XSS with script gadgets
      Script gadgets are a technique in which an attacker uses existing application code from popular JavaScript libraries to cause their own code to execute. This is often done by injecting From c65636d00dd0f983ce4df27a632717ac688b36f4 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Wed, 29 Apr 2026 10:02:31 +0100 Subject: [PATCH 33/35] Reduce intro --- source | 97 +++++++++++++++++++++++----------------------------------- 1 file changed, 38 insertions(+), 59 deletions(-) diff --git a/source b/source index 9220242e756..e5f6900c72a 100644 --- a/source +++ b/source @@ -124987,8 +124987,9 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the - HTML parser. If the options dictionary contains a "sanitizer" member, - it is used to sanitize the parsed fragment before it is inserted into element.

      + HTML parser. If the options dictionary contains a "sanitizer" member, it is used to + sanitize the parsed fragment before it is inserted into element.

      shadowRoot.setHTMLUnsafe(html, options)
      @@ -124996,8 +124997,10 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. If the options dictionary contains a "sanitizer" member, - it is used to sanitize the parsed fragment before it is inserted into shadowRoot.

      + data-x="concept-DocumentFragment-host">host provides context for the HTML parser. If the + options dictionary contains a "sanitizer" member, it is used to + sanitize the parsed fragment before it is inserted into shadowRoot.

      element.setHTML(html, options)
      @@ -125005,7 +125008,9 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the - HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      + HTML parser. The parsed fragment is sanitized based on the + options's "sanitizer" member, and + unsafe content is removed.

      shadowRoot.setHTML(html, options)
      @@ -125013,7 +125018,10 @@ enum DOMParserSupportedType {

      Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      + data-x="concept-DocumentFragment-host">host provides context for the HTML parser. The + parsed fragment is sanitized based on the options's + "sanitizer" member, and unsafe content is removed.

      doc = Document.parseHTMLUnsafe(html, options)
      @@ -125025,8 +125033,9 @@ enum DOMParserSupportedType {

      Note that script elements are not evaluated during parsing, and the resulting document's encoding will always be UTF-8. The document's URL will be - about:blank. If the options dictionary contains a "sanitizer" member, - it is used to sanitize the resulting DOM.

      + about:blank. If the options dictionary contains a "sanitizer" member, it is used to + sanitize the resulting DOM.

      @@ -125037,14 +125046,16 @@ enum DOMParserSupportedType {
      doc = Document.parseHTML(html, options)

      Parses html using the HTML parser with options options, and returns a - new Document containing the result. The resulting document is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      + new Document containing the result. The resulting document is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

      - - -

      These methods perform no sanitization to remove potentially-dangerous elements - and attributes like script or event handler content attributes.

      +

      The methods with an Unsafe suffix perform no + sanitization to remove potentially-dangerous elements and attributes like script or + event handler content attributes.

      @@ -125744,58 +125755,26 @@ interface XMLSerializer { -

      Web applications often need to work with strings of HTML on the client side, perhaps as part of - a client-side templating solution, or perhaps as part of rendering user-generated content. It is - difficult to do so in a safe way. The naive approach of joining strings together and stuffing them - into an element's innerHTML is fraught with risk, as - it can cause script execution in a number of unexpected ways.

      - -

      Libraries like DOMPurify attempt to manage this problem by carefully parsing and - sanitizing strings before insertion, by constructing a DOM and filtering its members through an - allow-list. This has proven to be a fragile approach, as the parsing APIs exposed to the web don't - always map in reasonable ways to the browser's behavior when actually rendering a string as HTML - in the "real" DOM. Moreover, the libraries need to keep on top of browsers' changing behavior over - time; things that once were safe may turn into time-bombs based on new platform-level - features.

      +

      Web applications often need to process untrusted HTML strings, such as when rendering + user-generated content or using client-side templates. Safely inserting these strings into the DOM + requires careful sanitization to prevent DOM-based cross-site scripting (XSS) attacks.

      -

      The browser has a fairly good idea of when it is going to execute code. We can improve upon - user-space libraries by teaching the browser how to render HTML from an arbitrary string in a safe - manner, and do so in a way that is much more likely to be maintained and updated along with the - browser's own changing parser implementation. The APIs in this section aim to do just that.

      - -

      The goals of these APIs are:

      - -
        -

      • Mitigate the risk of DOM-based cross-site scripting attacks by providing developers with - mechanisms for handling user-controlled HTML which prevent direct script execution upon - injection.

        • - -

      • Make HTML output safe for use within the current user agent, taking into account its - current understanding of HTML.

        • - -

      • Allow developers to override the default set of elements and attributes. Adding certain - elements and attributes can prevent script - gadget attacks.

        • -
      +

      HTML sanitization provides a native mechanism for safely parsing and sanitizing HTML strings. + By using the user agent's own HTML parser, they ensure the sanitized output accurately reflects + how the browser will render the content, preventing script execution and mitigating advanced + attacks such as script + gadgets.

      These APIs offer functionality to parse a string containing HTML into a DOM tree, and to filter the resulting tree according to a user-supplied configuration. The methods come in two main flavors:

      -
      -
      Safe and unsafe
      -

      The "safe" methods will not generate any markup that executes script. That is, they are - intended to be safe from XSS. The "unsafe" methods will parse and filter based on the provided - configuration, but do not have the same safety guarantees by default.

      - -
      Context
      -

      Methods are defined on Element and ShadowRoot and will replace - these node's children, and are largely analogous to innerHTML. There are also static methods on the - Document, which parse an entire document and are largely analogous to parseFromString().

      -
      +
      Safe and unsafe
      + + The "safe" methods will not generate any markup that executes script. That is, they are intended + to be safe from XSS. The "unsafe" methods will parse and filter based on the provided + configuration, but do not have the same safety guarantees by default.

      The Sanitizer interface

      From 798a8688e47b814e8536c9634d84fa5188201b0c Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Wed, 29 Apr 2026 10:29:14 +0100 Subject: [PATCH 34/35] Refer to event handlers table --- source | 125 +++++++++------------------------------------------------ 1 file changed, 19 insertions(+), 106 deletions(-) diff --git a/source b/source index e5f6900c72a..6b7e17fad1e 100644 --- a/source +++ b/source @@ -128000,99 +128000,9 @@ dictionary SanitizerConfig {
      		SVG
      -

      and the following removeAttributes - list:

      - -
        -
      • onafterprint
        • -
      • onauxclick
        • -
      • onbeforeinput
        • -
      • onbeforematch
        • -
      • onbeforeprint
        • -
      • onbeforeunload
        • -
      • onbeforetoggle
        • -
      • onblur
        • -
      • oncancel
        • -
      • oncanplay
        • -
      • oncanplaythrough
        • -
      • onchange
        • -
      • onclick
        • -
      • onclose
        • -
      • oncontextlost
        • -
      • oncontextmenu
        • -
      • oncontextrestored
        • -
      • oncopy
        • -
      • oncuechange
        • -
      • oncut
        • -
      • ondblclick
        • -
      • ondrag
        • -
      • ondragend
        • -
      • ondragenter
        • -
      • ondragleave
        • -
      • ondragover
        • -
      • ondragstart
        • -
      • ondrop
        • -
      • ondurationchange
        • -
      • onemptied
        • -
      • onended
        • -
      • onerror
        • -
      • onfocus
        • -
      • onformdata
        • -
      • onhashchange
        • -
      • oninput
        • -
      • oninvalid
        • -
      • onkeydown
        • -
      • onkeypress
        • -
      • onkeyup
        • -
      • onlanguagechange
        • -
      • onload
        • -
      • onloadeddata
        • -
      • onloadedmetadata
        • -
      • onloadstart
        • -
      • onmessage
        • -
      • onmessageerror
        • -
      • onmousedown
        • -
      • onmouseenter
        • -
      • onmouseleave
        • -
      • onmousemove
        • -
      • onmouseout
        • -
      • onmouseover
        • -
      • onmouseup
        • -
      • onoffline
        • -
      • ononline
        • -
      • onpagehide
        • -
      • onpagereveal
        • -
      • onpageshow
        • -
      • onpageswap
        • -
      • onpaste
        • -
      • onpause
        • -
      • onplay
        • -
      • onplaying
        • -
      • onpopstate
        • -
      • onprogress
        • -
      • onratechange
        • -
      • onreset
        • -
      • onresize
        • -
      • onrejectionhandled
        • -
      • onscroll
        • -
      • onscrollend
        • -
      • onsecuritypolicyviolation
        • -
      • onseeked
        • -
      • onseeking
        • -
      • onselect
        • -
      • onslotchange
        • -
      • onstalled
        • -
      • onstorage
        • -
      • onsubmit
        • -
      • onsuspend
        • -
      • ontimeupdate
        • -
      • ontoggle
        • -
      • onunhandledrejection
        • -
      • onunload
        • -
      • onvolumechange
        • -
      • onwaiting
        • -
      • onwheel
        • -
      +

      and is removeAttributes list + corresponding to the event handler content attributes listed in this table.

      The built-in safe default configuration is a SanitizerConfig with its elements list corresponding to the following @@ -128662,19 +128572,22 @@ dictionary SanitizerConfig { replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree. It is the following list of SanitizerElementNamespace dictionaries:

      -
        -

      • { name: "html", _namespace: HTML namespace - }

        • - -

      • { name: "svg", _namespace: SVG namespace - }

        • - -

      • { name: "math", _namespace: MathML namespace - }

        • -
      + + + + + + + +
      Element + Element Namespace +
      html + HTML +
      svg + SVG +
      math + MathML +

      Security considerations

      From 43519ba53ad4fc3d0d03d5f02091f026e4109f15 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Thu, 30 Apr 2026 13:15:56 +0100 Subject: [PATCH 35/35] Explode sanitization constants into elements for HTML --- source | 759 +++++++++++++++++++++------------------------------------ 1 file changed, 277 insertions(+), 482 deletions(-) diff --git a/source b/source index 6b7e17fad1e..700ce494820 100644 --- a/source +++ b/source @@ -16036,7 +16036,7 @@ interface DOMStringMap { data-x="concept-element-accessibility-considerations">Accessibility considerations:
      For authors.
      For implementers.
      -
      DOM interface:
      +
      DOM interface:
      [Exposed=Window]
 interface HTMLHtmlElement : HTMLElement {
@@ -16260,7 +16260,8 @@ interface HTMLTitleElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
      For authors.
      
    
      For implementers.
      
-   
      DOM interface:
      
+        
      Navigating URL attributes: href.
      
+    
      DOM interface:
      
    
      
     
      [Exposed=Window]
 interface HTMLBaseElement : HTMLElement {
@@ -16485,7 +16486,7 @@ interface HTMLBaseElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
      For authors.
      
    
      For implementers.
      
-   
      DOM interface:
      
+    
      DOM interface:
      
    
      
     
      [Exposed=Window]
 interface HTMLLinkElement : HTMLElement {
@@ -18923,7 +18924,7 @@ people expect to have work and what is necessary.
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
      For authors.
      
    
      For implementers.
      
-   
      DOM interface:
      
+    
      DOM interface:
      
    
      
     
      [Exposed=Window]
 interface HTMLStyleElement : HTMLElement {
@@ -19455,7 +19456,9 @@ interface HTMLBodyElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
      For authors.
      
    
      For implementers.
      
-   
      DOM interface:
      
+       
      Safe sanitization:
      
+    
      Included by default.
      
+    
      DOM interface:
      
    
      Uses HTMLElement.
    @@ -19602,7 +19605,9 @@ interface HTMLBodyElement : HTMLElement { data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    Uses HTMLElement.
    @@ -19764,7 +19769,9 @@ interface HTMLBodyElement : HTMLElement { data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    Uses HTMLElement.
    @@ -19945,7 +19952,9 @@ interface HTMLBodyElement : HTMLElement { data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    Uses HTMLElement.
    @@ -20098,7 +20107,9 @@ isn't his only passion. He also enjoys other pleasures.</p> data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    [Exposed=Window]
 interface HTMLHeadingElement : HTMLElement {
@@ -20178,7 +20189,9 @@ interface HTMLHeadingElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -20222,7 +20235,9 @@ interface HTMLHeadingElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -20317,7 +20332,9 @@ interface HTMLHeadingElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -20468,7 +20485,9 @@ interface HTMLHeadingElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -21131,7 +21150,9 @@ interface HTMLHeadingElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLParagraphElement : HTMLElement {
@@ -21280,7 +21301,9 @@ and is further discussed below.</div>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLHRElement : HTMLElement {
@@ -21392,7 +21415,9 @@ of Gralmond's winters.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLPreElement : HTMLElement {
@@ -21509,7 +21534,10 @@ a friend lost to the
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: cite.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLQuoteElement : HTMLElement {
@@ -21697,7 +21725,11 @@ be cowed by the possibility.</blockquote>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: reversed, start, type.
    
+    
    DOM interface:
    
    
    
 
    [Exposed=Window]
 interface HTMLOListElement : HTMLElement {
@@ -21886,7 +21918,9 @@ I first lived there):</p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLUListElement : HTMLElement {
@@ -22004,7 +22038,10 @@ interface HTMLMenuElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: value.
    
+    
    DOM interface:
    
    
    
 
    [Exposed=Window]
 interface HTMLLIElement : HTMLElement {
@@ -22184,7 +22221,9 @@ interface HTMLLIElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDListElement : HTMLElement {
@@ -22468,7 +22507,9 @@ first matching case):</p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -22516,7 +22557,9 @@ first matching case):</p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -22561,7 +22604,9 @@ first matching case):</p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -22752,7 +22797,9 @@ included with Exhibit B.
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -22792,7 +22839,9 @@ included with Exhibit B.
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -22897,7 +22946,9 @@ included with Exhibit B.
    
    Accessibility considerations:
    
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23019,7 +23070,9 @@ included with Exhibit B.
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDivElement : HTMLElement {
@@ -23107,7 +23160,15 @@ interface HTMLDivElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: href, hreflang, type.
    
+        
    Navigating URL attributes: href,
+        hreflang, type.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLAnchorElement : HTMLElement {
@@ -23290,7 +23351,9 @@ document.querySelector("table").onclick = ({ target }) => {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23383,7 +23446,9 @@ document.querySelector("table").onclick = ({ target }) => {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23478,7 +23543,9 @@ ten meters.</strong></strong> You have been warned.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23570,7 +23637,9 @@ merger with Demo Group.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23609,7 +23678,9 @@ merger with Demo Group.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23732,7 +23803,9 @@ gossip column, maybe!</q>.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLQuoteElement.
    
   
 
@@ -23832,7 +23905,9 @@ resulting from the campaign's mismanagement.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -23906,7 +23981,9 @@ and so Hammond ordered the iris to be opened.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -24033,7 +24110,9 @@ this specification: the <abbr>WHATWG</abbr> and the
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -24538,7 +24617,9 @@ this specification: the <abbr>WHATWG</abbr> and the
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -24570,7 +24651,9 @@ this specification: the <abbr>WHATWG</abbr> and the
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -24638,7 +24721,10 @@ this specification: the <abbr>WHATWG</abbr> and the
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: value.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDataElement : HTMLElement {
@@ -24714,7 +24800,10 @@ interface HTMLDataElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: datetime.
    
+    
    DOM interface:
    
    
    
 
    [Exposed=Window]
 interface HTMLTimeElement : HTMLElement {
@@ -25051,7 +25140,9 @@ interface HTMLTimeElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25116,7 +25207,9 @@ end.</code></pre>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25190,7 +25283,9 @@ looked pleased.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25255,7 +25350,9 @@ Linux demo 2.6.10-grsec+gg3+e+fhs6b+nfs+gr0501+++p3+c4a+gr2b-reslog-v6.189 #1 SM
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25316,7 +25413,9 @@ Linux demo 2.6.10-grsec+gg3+e+fhs6b+nfs+gr0501+++p3+c4a+gr2b-reslog-v6.189 #1 SM
    
    The sup element: for authors; for implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Use HTMLElement.
    
   
 
@@ -25380,7 +25479,9 @@ For example, the 10th point has coordinate
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25442,7 +25543,9 @@ her—</i></p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25532,7 +25635,9 @@ brighter. A <b>rat</b> scurries past the corner wall.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25580,7 +25685,9 @@ brighter. A <b>rat</b> scurries past the corner wall.</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -25732,7 +25839,9 @@ wormhole connection.</mark></p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    Uses HTMLElement.
    @@ -25797,7 +25906,9 @@ wormhole connection.</mark></p>     data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    Uses HTMLElement.
    @@ -25838,7 +25949,9 @@ wormhole connection.</mark></p>     data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default.
    +
    DOM interface:
    [Exposed=Window]
 interface HTMLSpanElement : HTMLElement {
@@ -25888,7 +26001,9 @@ interface HTMLSpanElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLBRElement : HTMLElement {
@@ -25973,7 +26088,9 @@ Sydney</p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -30213,7 +30330,10 @@ document.body.appendChild(wbr);
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default. Attributes: cite, datetime.
    +
    DOM interface:
    Uses HTMLModElement.
    @@ -30302,7 +30422,10 @@ document.body.appendChild(wbr);     data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    Safe sanitization:
    +
    Included by default. Attributes: cite, datetime.
    +
    DOM interface:
    Uses HTMLModElement.
    @@ -30558,7 +30681,7 @@ interface HTMLModElement : HTMLElement { data-x="concept-element-accessibility-considerations">Accessibility considerations:
    For authors.
    For implementers.
    -
    DOM interface:
    +
    DOM interface:
    [Exposed=Window]
 interface HTMLPictureElement : HTMLElement {
@@ -30607,7 +30730,7 @@ interface HTMLPictureElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLSourceElement : HTMLElement {
@@ -30933,7 +31056,7 @@ interface HTMLSourceElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window,
  LegacyFactoryFunction=Image(optional unsigned long width, optional unsigned long height)]
@@ -36010,7 +36133,9 @@ interface HTMLIFrameElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Removed.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLEmbedElement : HTMLElement {
@@ -36292,7 +36417,9 @@ interface HTMLEmbedElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Removed.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLObjectElement : HTMLElement {
@@ -37495,7 +37622,7 @@ interface HTMLAudioElement : HTMLMediaElement
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTrackElement : HTMLElement {
@@ -44278,7 +44405,7 @@ dictionary TrackEventInit : EventInit {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLMapElement : HTMLElement {
@@ -44386,7 +44513,9 @@ interface HTMLMapElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+        
    Navigating URL attributes: href.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLAreaElement : HTMLElement {
@@ -45022,7 +45151,9 @@ interface HTMLAreaElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableElement : HTMLElement {
@@ -45704,7 +45835,9 @@ side in the right column.</p>
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableCaptionElement : HTMLElement {
@@ -45801,7 +45934,10 @@ the cell that corresponds to the values of the two dice.
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: span.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableColElement : HTMLElement {
@@ -45851,7 +45987,10 @@ interface HTMLTableColElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: span.
    
+    
    DOM interface:
    
    
    Uses HTMLTableColElement, as defined for colgroup elements.
    
   
 
@@ -45891,7 +46030,9 @@ interface HTMLTableColElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableSectionElement : HTMLElement {
@@ -46031,7 +46172,9 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLTableSectionElement, as defined for tbody elements.
    
   
 
@@ -46103,7 +46246,9 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLTableSectionElement, as defined for tbody elements.
    
   
 
@@ -46141,7 +46286,9 @@ interface HTMLTableSectionElement : HTMLElementAccessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableRowElement : HTMLElement {
@@ -46319,7 +46466,11 @@ interface HTMLTableRowElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: colspan, headers,
+    rowspan.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTableCellElement : HTMLElement {
@@ -46422,7 +46573,12 @@ interface HTMLTableCellElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default. Attributes: abbr, colspan, headers, rowspan, scope.
    
+    
    DOM interface:
    
    
    Uses HTMLTableCellElement, as defined for td elements.
    
   
 
@@ -48375,7 +48531,9 @@ interface HTMLTableCellElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+        
    Navigating URL attributes: action.
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window,
  LegacyOverrideBuiltIns,
@@ -48838,7 +48996,7 @@ interface HTMLFormElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLLabelElement : HTMLElement {
@@ -56699,7 +56857,7 @@ interface HTMLButtonElement : HTMLElement {
    
    Otherwise: for authors; for implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLSelectElement : HTMLElement {
@@ -57530,7 +57688,7 @@ interface HTMLSelectElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDataListElement : HTMLElement {
@@ -57640,7 +57798,7 @@ interface HTMLDataListElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLOptGroupElement : HTMLElement {
@@ -57765,7 +57923,7 @@ interface HTMLOptGroupElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window,
  LegacyFactoryFunction=Option(optional DOMString text = "", optional DOMString value, optional boolean defaultSelected = false, optional boolean selected = false)]
@@ -58273,7 +58431,7 @@ interface HTMLOptionElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLTextAreaElement : HTMLElement {
@@ -58794,7 +58952,7 @@ Daddy"></textarea>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLOutputElement : HTMLElement {
@@ -58998,7 +59156,7 @@ interface HTMLOutputElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLProgressElement : HTMLElement {
@@ -59182,7 +59340,7 @@ interface HTMLProgressElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLMeterElement : HTMLElement {
@@ -59568,7 +59726,7 @@ out of 233 257 824 bytes available</meter></p>
    
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLFieldSetElement : HTMLElement {
@@ -59777,7 +59935,7 @@ interface HTMLFieldSetElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLLegendElement : HTMLElement {
@@ -59830,7 +59988,7 @@ interface HTMLLegendElement : HTMLElement {
    
    Accessibility considerations:
    
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLSelectedContentElement : HTMLElement {
@@ -64817,7 +64975,7 @@ dictionary FormDataEventInit : EventInit {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDetailsElement : HTMLElement {
@@ -65243,7 +65401,9 @@ interface HTMLDetailsElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+       
    Safe sanitization:
    
+    
    Included by default.
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -65646,7 +65806,7 @@ interface HTMLDetailsElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLDialogElement : HTMLElement {
@@ -66735,7 +66895,7 @@ interface HTMLDialogElement : HTMLElement {
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    
     
    [Exposed=Window]
 interface HTMLScriptElement : HTMLElement {
@@ -68501,7 +68661,7 @@ not-slash     = %x0000-002E / %x0030-10FFFF
    data-x="concept-element-accessibility-considerations">Accessibility considerations:
    
    For authors.
    
    
    For implementers.
    
-   
    DOM interface:
    
+    
    DOM interface:
    
    
    Uses HTMLElement.
    
   
 
@@ -127967,46 +128127,25 @@ dictionary SanitizerConfig {
 
   
    Sanitization constants
    
 
-  
    The built-in safe baseline configuration is a SanitizerConfig with its
-  removeElements corresponding to the
-  following table:
    
-
-  
-   
-    
-     
-    
-     
-     
-     
-     
-     
-     
-     
     Name
-      Namespace
-   
    embed
-     HTML
-    
    frame
-     HTML
-    
    iframe
-     HTML
-    
    object
-     HTML
-    
    script
-     HTML
-    
    script
-     SVG
-    
    use
-     SVG
-  
    
-
-  
    and is removeAttributes list
-  corresponding to the event handler content attributes listed in this table.
-
-  
    The built-in safe default configuration is a SanitizerConfig with its
-  elements list corresponding to the following
-  table:
    
+  
    When specified, the safe sanitization criteria
+  for each element defines whether the element is removed or
+  Included by default when performing safe
+  sanitization. When unspecified, the element is not included by default, but can still be added by
+  a SanitizerConfig
    
+
+  
    The built-in safe baseline configuration is a SanitizerConfig. Its
+  removeElements list consists of all HTML
+  elements normatively marked as Removed within their
+  individual definitions, along with the script and use
+  SVG elements. Its removeAttributes list
+  corresponds to the event handler content attributes listed in this table.
    
+
+  
    The built-in safe default configuration is a SanitizerConfig. Its elements list consists of all HTML elements
+  normatively marked as Included by default
+  within their individual definitions, alongside the MathML and SVG elements listed in the table
+  below:
    
 
   
@@ -128015,307 +128154,6 @@ dictionary SanitizerConfig {
      
-    
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
    
    
    Namespace
      Allowed Attributes
    
    a
-     HTML
-     href, hreflang, type
-    
    abbr
-     HTML
-     
-    
    address
-     HTML
-     
-    
    article
-     HTML
-     
-    
    aside
-     HTML
-     
-    
    b
-     HTML
-     
-    
    bdi
-     HTML
-     
-    
    bdo
-     HTML
-     
-    
    blockquote
-     HTML
-     cite
-     
-    
    body
-     HTML
-     
-    
    br
-     HTML
-     
-    
    caption
-     HTML
-     
-    
    cite
-     HTML
-     
-    
    code
-     HTML
-     
-    
    col
-     HTML
-     span
-    
    colgroup
-     HTML
-     span
-    
    data
-     HTML
-     value
-    
    dd
-     HTML
-     
-    
    del
-     HTML
-     cite, datetime
-    
    dfn
-     HTML
-     
-    
    div
-     HTML
-     
-    
    dl
-     HTML
-     
-    
    dt
-     HTML
-     
-    
    em
-     HTML
-     
-    
    figcaption
-     HTML
-     
-    
    figure
-     HTML
-     
-    
    footer
-     HTML
-     
-    
    h1
-     HTML
-     
-    
    h2
-     HTML
-     
-    
    h3
-     HTML
-     
-    
    h4
-     HTML
-     
-    
    h5
-     HTML
-     
-    
    h6
-     HTML
-     
-    
    head
-     HTML
-     
-    
    header
-     HTML
-     
-    
    hgroup
-     HTML
-     
-    
    hr
-     HTML
-     
-    
    html
-     HTML
-     
-    
    i
-     HTML
-     
-    
    ins
-     HTML
-     cite, datetime
-    
    kbd
-     HTML
-     
-    
    li
-     HTML
-     value
-    
    main
-     HTML
-     
-    
    mark
-     HTML
-     
-    
    menu
-     HTML
-     
-    
    nav
-     HTML
-     
-    
    ol
-     HTML
-     reversed, start, type
-    
    p
-     HTML
-     
-    
    pre
-     HTML
-     
-    
    q
-     HTML
-     
-    
    rp
-     HTML
-     
-    
    rt
-     HTML
-     
-    
    ruby
-     HTML
-     
-    
    s
-     HTML
-     
-    
    samp
-     HTML
-     
-    
    search
-     HTML
-     
-    
    section
-     HTML
-     
-    
    small
-     HTML
-     
-    
    span
-     HTML
-     
-    
    strong
-     HTML
-     
-    
    sub
-     HTML
-     
-    
    sup
-     HTML
-     
-    
    table
-     HTML
-     
-    
    tbody
-     HTML
-     
-    
    td
-     HTML
-     colspan, headers, rowspan
-    
    tfoot
-     HTML
-     
-    
    th
-     HTML
-     abbr, colspan, headers, rowspan, scope
-    
    thead
-     HTML
-     
-    
    time
-     HTML
-     datetime
-    
    title
-     HTML
-     
-    
    tr
-     HTML
-     
-    
    u
-     HTML
-     
-    
    ul
-     HTML
-     
-    
    var
-     HTML
-     
-    
    wbr
-     HTML
-     
     
    
      math
      MathML
@@ -128497,53 +128335,10 @@ dictionary SanitizerConfig {
      dx, dy, lengthAdjust, rotate, textLength, x, y
   
    
 
-  
    The built-in navigating URL attributes list corresponds to the following table:
    
-
-  
-   
-    
-     
-    
-     
-     
-     
-     
-     
-     
-     
    Element
-     Element Namespace
-     Attribute
-     Attribute Namespace
-   
    a
-     HTML
-     href, hreflang, type
-     
-    
    area
-     HTML
-     href
-     
-    
    base
-     HTML
-     href
-     
-    
    button
-     HTML
-     formaction
-     
-    
    form
-     HTML
-     action
-     
-    
    input
-     HTML
-     formaction
-     
-    
    a
-     SVG
-     href
-     XLink namespace
-  
    
-
+    
    The built-in navigating URL attributes list corresponds to all HTML elements
+    marked with Navigating URL attributes in their normative definitions, as well as the
+    SVG a element with the href attribute.
    
 
   
    The built-in animating URL attributes list corrsponds to the following table: