I want to feel safe displaying user-generated HTML #58
aarongustafson
started this conversation in
Wants
Replies: 1 comment
-
It'd also be really helpful from a performance point of view since I wouldn't need to distribute a large library to do this, and I'm sure it could be made faster via browser code. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Many web applications allow untrusted users to upload HTML. They often do this using a rich text editor. Then, they show this HTML to other users. Email applications like Gmail are like this. However, displaying user-generated HTML is challenging from a security point of view. Sometimes you can sanitize it on the server. Sometimes you can sanitize it on the client using something like DOMPurify. However, no matter how you do it, it’s a hard problem.
It'd be great if browsers could do this for us since they know how to do it best.
https://webwewant.fyi/wants/5ee582f557f49af84b6bb374/
Beta Was this translation helpful? Give feedback.
All reactions