Link to definition of default "XSS-safe" elements and attributes

[untitaker]

Description

Link to the specification to define what "XSS-safe" means.

"XSS-safe" is not well-defined within MDN so let's link to the spec.

Motivation

The current description of the default sanitizer's behavior is ultimately not meaningful.

Additional details

I don't know if "XSS-safe" is a well-defined term within the spec, but if it is then the definition should be linked in MDN (or translated to it)

Related issues and pull requests

[github-actions]

Preview URLs

• /en-US/docs/Web/API/Element/setHTML

External URLs (1)

URL: /en-US/docs/Web/API/Element/setHTML
Title: Element: setHTML() method

• https://wicg.github.io/sanitizer-api/ (1 time) (Note! This may be a new URL 👀)

[evilpie]

I wish we had a better explanation for this that we could link to. Maybe this something WICG/sanitizer-api#287 should aspire to define.
Actually https://wicg.github.io/sanitizer-api/#built-in-safe-baseline-configuration might be better. That is actually the list that is used by removeUnsafe, to remove everything that is script-ty.

[wbamberg]

We should explain this but I don't think this link is very helpful. Apart from being quite hard to read, I'm not sure what it means. For instance when it says:

{
  "name": "abbr",
  "namespace": "http://www.w3.org/1999/xhtml",
  "attributes": []
}

...does that mean that by default no attributes are allowed on <abbr>?

It would be great to have a page under https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API that describes the default configuration. I also don't understand the difference between the "built-in safe default configuration" and the "built-in safe baseline configuration" and would prefer not to have to pick through the spec to try to work it out.

@hamishwillee , what do you think?

[hamishwillee]

We should explain this but I don't think this link is very helpful. Apart from being quite hard to read, I'm not sure what it means. For instance when it says:

{
  "name": "abbr",
  "namespace": "http://www.w3.org/1999/xhtml",
  "attributes": []
}

...does that mean that by default no attributes are allowed on <abbr>?

It would be great to have a page under https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API that describes the default configuration. I also don't understand the difference between the "built-in safe default configuration" and the "built-in safe baseline configuration" and would prefer not to have to pick through the spec to try to work it out.

@hamishwillee , what do you think?

I agree with you - generally we don't link to spec and I don't think this is all that useful a link.

The TLDR IMO is that 99% of people don't need to know the list - this should be used as a drop in replacement for innerHTML. If you're injecting any of those untrusted things you should be talking a long hard look at yourself :-)

That said, I guess it might help people who are wondering why something in the input disappeared. Since the text is huge and may change we could do this:

This configuration allows all elements and attributes that are considered XSS-safe, thereby disallowing entities that are considered unsafe (you can test what elements that are considered unsafe by running the Sanitizer() constructor example).

---

As I understand it, the "built-in safe default configuration" is the very restrictive configuration you get by default. This excludes anything that can cause an XSS attack AND some other bits and bobs that can in theory lead to other less worrying attacks such as clickjacking.
The "built-in safe baseline configuration" is a more permissive configuration that just restricts the XSS subset of attributes and elements.

I believe that removeUnsafe() is the only thing that uses the more permissive version. That is not documented, and possibly should be.

...does that mean that by default no attributes are allowed on <abbr>?

It means that <abbr> is not allowed. If their were attributes it would mean that the element is allowed, but if those attributes are present they should be filtered.