Open 0xedward opened 2 years ago
@0xedward does this mean that this polyfill does not work at all now if using Custom Elements? So this issue needs to be implemented before it can be used in projects using Custom Elements?
Hey @thernstig, it's been a while since I worked on this, so my memory might be a bit faulty. The polyfill basically converts the configuration
dictionary in the HTML Sanitizer API spec to the equivalent configuration for DOMPurify, then uses DOMPurify to sanitize the input. The polyfill should work if your input has custom elements as long as DOMPurify can handle custom elements without them being specified in its config.
Here's some code pointers for what I mentioned: https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L18-L20 https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L130-L161
So this issue needs to be implemented before it can be used in projects using Custom Elements?
FWIW, I would not recommend using this polyfill in any kind of production setup. The Sanitizer API is still under heavy development and we're changing quite a few things (e.g., the config syntax in https://github.com/WICG/sanitizer-api/issues/181)
When the user specifies set
allowCustomElements
totrue
in sanitizer configuration, we want to allow list all custom elements.When
allowCustomElements === false
, we want to remove all custom elements fromallowElements
.When
allowCustomElements === true
, we want to check all elements inallowElements
are part of https://wicg.github.io/sanitizer-api/#baseline-elements and keep all custom elements inallowElements
. We can construct a regex from https://html.spec.whatwg.org/multipage/custom-elements.html#valid-custom-element-name to determine if an element is a custom elementFor example: