The HTML Sanitizer API

There are three ways an engineer learns about Cross-Site Scripting (XSS). The lucky ones learn about it through a helpful code review or a proactive security lint rule. The diligent ones learn about it during a security audit that catches a vulnerability before it hits production. Then, there are the scarred ones. They learn about it when a live exploit hits their site. When an attacker injects a script that steals session tokens from localStorage, hijacks cookies, or redirects users to a phishing site. I personally joined the “scarred” club back in 2005, when an embedded Flash signature in a forum I owned turned into a security nightmare… but that’s a story for another time. In this article, we’re going to explore how the browser is finally taking the burden of sanitization off our shoulders with the new HTML Sanitizer API. The Problem with innerHTML To understand the solution, we have to look at the danger. In the early days of the web, innerHTML was the magic wand that turned…