Skip to content

Don't allow replaceWithChildrenElements for <html> #367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
evilpie wants to merge 6 commits into
base: main
Choose a base branch
from
+80 −60
Draft

Don't allow replaceWithChildrenElements for <html> #367

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1e5b94d
Rewrite [=SanitizerConfig/valid=] as algorithm, instead of a set of c…
otherdaniel Nov 24, 2025
1f6f6d4
Review feedback.
otherdaniel Nov 25, 2025
60f5e73
Review feedback
otherdaniel Nov 25, 2025
a3be757
Uniformly use ["{{...}}"] form to index using spec-defined constants.
otherdaniel Dec 3, 2025
28deb1f
Review feedback.
otherdaniel Dec 4, 2025
ed23db3
Don't allow replaceWithChildrenElements for html
evilpie Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
140 changes: 80 additions & 60 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,10 +404,10 @@ allow- or remove-lists for attributes. This requires that we distinguish 4 cases
1. Return true.
1. [=Comment=]: This is the case with a global allow-list that already contains |element|.
1. Let |current element| be the |item| in |configuration|["{{SanitizerConfig/elements}}"]
where |item|[{{SanitizerElementNamespace/name}}] [=string/is|equals=]
|element|[{{SanitizerElementNamespace/name}}]
and |item|[{{SanitizerElementNamespace/namespace}}] [=string/is|equals=]
|element|[{{SanitizerElementNamespace/namespace}}].
where |item|["{{SanitizerElementNamespace/name}}"] [=string/is|equals=]
|element|["{{SanitizerElementNamespace/name}}"]
and |item|["{{SanitizerElementNamespace/namespace}}"] [=string/is|equals=]
|element|["{{SanitizerElementNamespace/namespace}}"].
1. If |element| [=map/equals=] |current element| then return |modified|.
1. [=SanitizerConfig/Remove=] |element| from |configuration|["{{SanitizerConfig/elements}}"].
1. [=list/Append=] |element| to |configuration|["{{SanitizerConfig/elements}}"]
Expand Down Expand Up @@ -519,9 +519,9 @@ The <dfn for="Sanitizer" method export>setDataAttributes(|allow|)</dfn> method s
where |attr| is a [=custom data attribute=].
1. If |configuration|["{{SanitizerConfig/elements}}"] [=map/exists=]:
1. [=list/iterate|For each=] |element| in |configuration|["{{SanitizerConfig/elements}}"]:
1. If |element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] [=map/exists=]:
1. If |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=map/exists=]:
1. [=list/Remove=] any items |attr| from
|element|[{{SanitizerElementNamespaceWithAttributes/attributes}}]
|element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"]
where |attr| is a [=custom data attribute=].
1. Set |configuration|["{{SanitizerConfig/dataAttributes}}"] to |allow|.
1. Return true.
Expand Down Expand Up @@ -719,63 +719,83 @@ Putting these rules in words:
* {{SanitizerConfig/dataAttributes}} must be absent.

<div algorithm>
A {{SanitizerConfig}} |config| is <dfn for=SanitizerConfig>valid</dfn> if all of the following
conditions hold:
To determine whether a {{SanitizerConfig}} |config| is <dfn for=SanitizerConfig>valid</dfn>:

1. The |config| has either an {{SanitizerConfig/elements}} or a {{SanitizerConfig/removeElements}}
[=map/key=], but not both.
1. The |config| has either an {{SanitizerConfig/attributes}} or a {{SanitizerConfig/removeAttributes}}
[=map/key=], but not both.
1. If the exclusive or of |config|["{{SanitizerConfig/elements}}"] [=map/exists=] and
|config|["{{SanitizerConfig/removeElements}}"] [=map/exists=] is false, then return false.
1. If the exclusive or of |config|["{{SanitizerConfig/attributes}}"] [=map/exists=] and
|config|["{{SanitizerConfig/removeAttributes}}"] [=map/exists=] is false, then return false.
1. [=Assert=]: All {{SanitizerElementNamespaceWithAttributes}}, {{SanitizerElementNamespace}}, and
{{SanitizerAttributeNamespace}} items in |config| are canonical, meaning they have been run
through [=canonicalize a sanitizer element=] or [=canonicalize a sanitizer attribute=],
as appropriate.
1. None of |config|[{{SanitizerConfig/elements}}], |config|[{{SanitizerConfig/removeElements}}],
|config|[{{SanitizerConfig/replaceWithChildrenElements}}],
|config|[{{SanitizerConfig/attributes}}], or
|config|[{{SanitizerConfig/removeAttributes}}], if they [=map/exist=],
[=SanitizerConfig/has duplicates=].
1. If both |config|[{{SanitizerConfig/elements}}] and
|config|[{{SanitizerConfig/replaceWithChildrenElements}}] [=map/exist=], then
the [=SanitizerConfig/intersection=] of |config|[{{SanitizerConfig/elements}}] and
|config|[{{SanitizerConfig/replaceWithChildrenElements}}] is [=list/empty=].
1. If both |config|[{{SanitizerConfig/removeElements}}] and
|config|[{{SanitizerConfig/replaceWithChildrenElements}}] [=map/exist=], then
the [=SanitizerConfig/intersection=] of |config|[{{SanitizerConfig/removeElements}}] and
|config|[{{SanitizerConfig/replaceWithChildrenElements}}] is [=list/empty=].
1. If |config|[{{SanitizerConfig/attributes}}] [=map/exists=]:
1. If |config|[{{SanitizerConfig/elements}}] [=map/exists=]:
1. [=list/iterate|For each=] |element| of |config|[{{SanitizerConfig/elements}}]:
1. Neither |element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] nor
|element|[{{SanitizerElementNamespaceWithAttributes/removeAttributes}}], if they exist, [=SanitizerConfig/has duplicates=].
1. The [=set/intersection=] of |config|[{{SanitizerConfig/attributes}}] and
|element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] [=with default=]
&laquo; &raquo; is [=list/empty=].
1. |element|[{{SanitizerElementNamespaceWithAttributes/removeAttributes}}]
[=with default=] &laquo; &raquo; is a
[=set/subset=] of |config|[{{SanitizerConfig/attributes}}].
1. If {{SanitizerConfig/dataAttributes}} [=map/exists=] and
{{SanitizerConfig/dataAttributes}} is true:
1. |element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] does not
contain a [=custom data attribute=].
1. [=Assert=]: |config|[{{SanitizerConfig/dataAttributes}}] [=map/exists=].
1. If {{SanitizerConfig/dataAttributes}} is true:
1. |config|[{{SanitizerConfig/attributes}}] does not contain
a [=custom data attribute=].
1. If |config|[{{SanitizerConfig/removeAttributes}}] [=map/exists=]:
1. If |config|[{{SanitizerConfig/elements}}] [=map/exists=],
then [=list/iterate|for each=] |element| of |config|[{{SanitizerConfig/elements}}]:
1. Not both |element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] and
|element|[{{SanitizerElementNamespaceWithAttributes/removeAttributes}}] [=map/exist=].
1. Neither |element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] nor
|element|[{{SanitizerElementNamespaceWithAttributes/removeAttributes}}], if they exist, [=SanitizerConfig/has duplicates=].
1. The [=set/intersection=] of |config|[{{SanitizerConfig/removeAttributes}}] and
|element|[{{SanitizerElementNamespaceWithAttributes/attributes}}] [=with default=]
&laquo; &raquo; is [=list/empty=].
1. The [=set/intersection=] of |config|[{{SanitizerConfig/removeAttributes}}] and
|element|[{{SanitizerElementNamespaceWithAttributes/removeAttributes}}] [=with default=]
&laquo; &raquo; is [=list/empty=].
1. |config|[{{SanitizerConfig/dataAttributes}}] does not [=map/exist=].
1. If |config|["{{SanitizerConfig/elements}}"] [=map/exists=] and [=SanitizerConfig/has duplicates=],
then return false.
1. If |config|["{{SanitizerConfig/removeElements}}"] [=map/exists=] and
[=SanitizerConfig/has duplicates=], then return false.
1. If |config|["{{SanitizerConfig/replaceWithChildrenElements}}"] [=map/exists=] and
[=SanitizerConfig/has duplicates=], then return false.
1. If |config|["{{SanitizerConfig/attributes}}"] [=map/exists=] and
[=SanitizerConfig/has duplicates=], then return false.
1. If |config|["{{SanitizerConfig/removeAttributes}}"] [=map/exists=] and
[=SanitizerConfig/has duplicates=], then return false.
1. If |config|["{{SanitizerConfig/replaceWithChildrenElements}}"] [=map/exists=]:
1. If |config|["{{SanitizerConfig/elements}}"] [=map/exists=] and
the [=SanitizerConfig/intersection=] of |config|["{{SanitizerConfig/elements}}"] and
|config|["{{SanitizerConfig/replaceWithChildrenElements}}"] is not [=list/empty=], then return
false.
1. If |config|["{{SanitizerConfig/removeElements}}"] [=map/exists=], and
the [=SanitizerConfig/intersection=] of |config|["{{SanitizerConfig/removeElements}}"] and
|config|["{{SanitizerConfig/replaceWithChildrenElements}}"] is not [=list/empty=], then return
false.
1. [=list/iterate|For each=] |element| of |config|["{{SanitizerConfig/replaceWithChildrenElements}}"]:
1. If |element|["{{SanitizerElementNamespace/name}}"] [=string/is|equals=] "html" and
|element|["{{SanitizerElementNamespace/namespace}}"] [=string/is|equals=] [=HTML Namespace=],
then return false.

1. If |config|["{{SanitizerConfig/attributes}}"] [=map/exists=]:
1. If |config|["{{SanitizerConfig/dataAttributes}}"] does not [=map/exist=], return false.
1. If |config|["{{SanitizerConfig/elements}}"] [=map/exists=]:
1. [=list/iterate|For each=] |element| of |config|["{{SanitizerConfig/elements}}"]:
1. If |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=map/exists=]
and |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"]
[=SanitizerConfig/has duplicates=], then return false.
1. If |element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"]
[=map/exists=] and
|element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"]
[=SanitizerConfig/has duplicates=], then return false.
1. If the [=set/intersection=] of |config|["{{SanitizerConfig/attributes}}"] and
|element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=with default=]
&laquo; &raquo; is not [=list/empty=], then return false.
1. If |element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"]
[=with default=] &laquo; &raquo; is not a
[=set/subset=] of |config|["{{SanitizerConfig/attributes}}"], then return false.
1. If |config|["{{SanitizerConfig/dataAttributes}}"] is true and
|element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"]
contains a [=custom data attribute=], then return false.
1. If |config|["{{SanitizerConfig/dataAttributes}}"] is true and
|config|["{{SanitizerConfig/attributes}}"] contains a [=custom data attribute=], then
return false.
1. If |config|["{{SanitizerConfig/removeAttributes}}"] [=map/exists=]:
1. If |config|["{{SanitizerConfig/elements}}"] [=map/exists=],
then [=list/iterate|for each=] |element| of |config|["{{SanitizerConfig/elements}}"]:
1. If |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=map/exists=] and
|element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"] [=map/exists=],
then return false.
1. If |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=map/exist=]
and |element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"]
[=SanitizerConfig/has duplicates=], then return false.
1. If |element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"] [=map/exist=]
and |element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"]
[=SanitizerConfig/has duplicates=], then return false.
1. If the [=set/intersection=] of |config|["{{SanitizerConfig/removeAttributes}}"] and
|element|["{{SanitizerElementNamespaceWithAttributes/attributes}}"] [=with default=]
&laquo; &raquo; is not [=list/empty=], then return false.
1. If the [=set/intersection=] of |config|["{{SanitizerConfig/removeAttributes}}"] and
|element|["{{SanitizerElementNamespaceWithAttributes/removeAttributes}}"] [=with default=]
&laquo; &raquo; is not [=list/empty=], then return false.
1. If |config|["{{SanitizerConfig/dataAttributes}}"] [=map/exists=], then return false.
1. Return true.

</div>

Expand Down Expand Up @@ -1091,11 +1111,11 @@ Note: While this algorithm is called [=remove unsafe=], we use
1. [=Assert=]: |configuration| is [=SanitizerConfig/valid=].
1. Let |result| be false.
1. [=list/For each=] |element| in
[=built-in safe baseline configuration=][{{SanitizerConfig/removeElements}}]:
[=built-in safe baseline configuration=]["{{SanitizerConfig/removeElements}}"]:
1. Call [=Sanitizer/remove an element=] |element| from |configuration|.
1. If the call returned true, set |result| to true.
1. [=list/For each=] |attribute| in
[=built-in safe baseline configuration=][{{SanitizerConfig/removeAttributes}}]:
[=built-in safe baseline configuration=]["{{SanitizerConfig/removeAttributes}}"]:
1. Call [=Sanitizer/remove an attribute=] |attribute| from |configuration|.
1. If the call returned true, set |result| to true.
1. [=list/For each=] |attribute| listed in [=event handler content attributes=]:
Expand Down