![]() ![]() The Sanitizer API is still in test mode and available in Firefox Nightly and Chrome 94+ through special flag settings. An external parser written in JS has overhead and is likely to be worse and outdated compared to the browser,” he said. “The browser already has a good and safe parser, and knows best how it will treat each active element in the DOM. Stella says that delegating sanitization to the browser makes it more accessible, secure, and hopefully faster. ![]() “The new Sanitizer API proposal is the first step towards a standardized API for a common task that many frontend libraries (e.g, React, Vue) or sanitizers (e.g, DOMPurify, sanitize-html) already perform when developers need to explicitly render unsafe HTML where they want to,” Lorenzo Stella, application security engineer at Doyensec, told The Daily Swig. ![]() Read more of the latest browser security news The API is being jointly developed by Google, Mozilla, and Cure53, the maintainer of the DOMPurify library. The Sanitzer API, which was first proposed earlier this year in a draft specification, will give browsers native support to remove harmful code from markup that is dynamically added to web pages. Sanitizing dynamic markup and making sure it does not contain harmful code is one of the most serious challenges of web security.Ĭurrently, web developers rely on third-party libraries such as DOMPurify to sanitize HTML content and prevent XSS attacks. Often, the generated markup includes content provided by outside sources, such as user-provided input, which can include malicious JavaScript code. Many websites rely on dynamically generated content in the browser. Leading browser vendors are putting the finishing touches to a set of APIs that make it easier for developers to protect their web applications against cross-site scripting ( XSS) attacks. ![]() Latest specification is a work in progress ![]()
0 Comments
Leave a Reply. |