The Sanitizer API landed in Firefox 148, along with element.setHTML().
-
The Sanitizer API landed in Firefox 148, along with element.setHTML().
This lets you fully configure how HTML strings are cleaned as they're parsed.
Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog
Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We expect other browsers to follow soon.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
-
R relay@relay.infosec.exchange shared this topic on
-
The Sanitizer API landed in Firefox 148, along with element.setHTML().
This lets you fully configure how HTML strings are cleaned as they're parsed.
Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog
Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We expect other browsers to follow soon.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
@firefoxwebdevs couldn't the attacker change the sanitizer rules to permit the tags they want to exploit?
-
@firefoxwebdevs couldn't the attacker change the sanitizer rules to permit the tags they want to exploit?
@barefootstache if the attacker has enough script access to do that, you've already lost.
Whereas HTML strings often come from things like a database or API.
