Skip to content

Enable createParserOptions, passing a sanitizer to trusted types#606

Open
noamr wants to merge 14 commits into
mainfrom
create-parser-options
Open

Enable createParserOptions, passing a sanitizer to trusted types#606
noamr wants to merge 14 commits into
mainfrom
create-parser-options

Conversation

@noamr

@noamr noamr commented Feb 17, 2026

Copy link
Copy Markdown

createParserOptions receives a SetHTML{Unsafe}Options and turns them into a TrustedParserOptions using the given method from the policy config.

This is the trusted-types part of #594

Note that this should only be merged when wired into the HTML standard, once the sanitizer is itself upstreamed.


Preview | Diff

@noamr noamr requested a review from lukewarlow February 17, 2026 11:13
@noamr noamr mentioned this pull request Feb 17, 2026
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
@lukewarlow

Copy link
Copy Markdown
Member

LGTM

@noamr noamr force-pushed the create-parser-options branch from ced3862 to d44dcea Compare June 1, 2026 13:44
@noamr

noamr commented Jun 1, 2026

Copy link
Copy Markdown
Author

I've made some changes:

  • Some of the algorithm calls from "get Trusted Type compliant parser options" assumed stringifications. Made that algorithm do things on its own and passing a new object (repersented as an ordered map) instead.
  • Allow passing throwIfMissing from the outside. streamHTMLUnsafe methods should throw if the policy cannot create parser options, while setHTMLUnsafe and friends can rely on createHTML.
  • Support runScripts as per Add runScripts to SetHTMLUnsafeOptions whatwg/html#12495

(Note: this PR will fail build until we merge the latter)

@lukewarlow

Copy link
Copy Markdown
Member

Are you able to fix the build failure now?

@noamr noamr closed this Jun 9, 2026
@noamr noamr reopened this Jun 9, 2026
@noamr

noamr commented Jun 9, 2026

Copy link
Copy Markdown
Author

Are you able to fix the build failure now?

I'll revisit this once I have the HTML counterpart ready.

Comment thread spec/index.bs Outdated

## Get Trusted Type parser input ## {#get-trusted-type-parser-input-algorithm}

To <dfn export>get Trusted Type compliant input</dfn> given a {{TrustedType}} |expectedType|, a [=realm/global object=] (|global|), string, or <code data-x="">Stream</code> |input|,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is Stream?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a special value meaning that we don't have a string yet and we are going to stream the HTML. is null better? This seemed more descriptive.

Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated
Comment thread spec/index.bs Outdated

1. Throw a TypeError and abort further steps.
1. Let |sanitizer| be |policyValue|["`sanitizer`"], [=with default|defaulting to=] a new {{SanitizerConfig}}.
1. If |sanitizer| is a {{Sanitizer}}, then set |sanitizer| to a new {{Sanitizer}} whose [=Sanitizer/configuration=] is the result of [=canonicali`ze the configuration|canonicalizing=] |sanitizer|'s [=Sanitizer/configuration=].

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't that already be canonicalized?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the equivalent of cloning, to avoid mutating an existing object. The note underneath says so

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored this, doesn't use "canonicalize" anymore.

@annevk

annevk commented Jun 22, 2026

Copy link
Copy Markdown
Member

Also, reportedly this impacts innerHTML and friends as well somehow? I think that warrants some examples.

@noamr

noamr commented Jun 23, 2026

Copy link
Copy Markdown
Author

Also, reportedly this impacts innerHTML and friends as well somehow? I think that warrants some examples.

Added prose and examples for this

@noamr

noamr commented Jun 23, 2026

Copy link
Copy Markdown
Author

(The build failure is in main, trying to resolve separately. Do you have an idea maybe @lukewarlow ?)

@evilpie

evilpie commented Jun 23, 2026

Copy link
Copy Markdown

In TrustedParserOptions sanitizer member is readonly, but a Sanitizer instance allows for internal modification. Isn't that unexpected?

Also I feel like we should probably always return a Sanitizer object, instead of one of three options? Otherwise it seems easy to accidentally write code (not sure what for though?) that only works with a subset.

@noamr

noamr commented Jun 23, 2026

Copy link
Copy Markdown
Author

In TrustedParserOptions sanitizer member is readonly, but a Sanitizer instance allows for internal modification. Isn't that unexpected?

It's a good point. I guess we need to return a clone of the underlying sanitizer if the getter is invoked so that you couldn't get a TrustedParserOptions and then mutate it.

Also I feel like we should probably always return a Sanitizer object, instead of one of three options? Otherwise it seems easy to accidentally write code (not sure what for though?) that only works with a subset.

Yea I was contemplating that. SGTM

noamr and others added 12 commits June 23, 2026 13:32
`createParserOptions` receives a `SetHTML{Unsafe}Options` and turns them into
a `TrustedParserOptions` using the given method from the policy config.

This is the `trusted-types` part of #594
(Need to wire it to HTML as well)
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
@noamr noamr force-pushed the create-parser-options branch from 6b671ea to 5db0166 Compare June 23, 2026 12:33
@noamr

noamr commented Jun 23, 2026

Copy link
Copy Markdown
Author

In TrustedParserOptions sanitizer member is readonly, but a Sanitizer instance allows for internal modification. Isn't that unexpected?

It's a good point. I guess we need to return a clone of the underlying sanitizer if the getter is invoked so that you couldn't get a TrustedParserOptions and then mutate it.

Also I feel like we should probably always return a Sanitizer object, instead of one of three options? Otherwise it seems easy to accidentally write code (not sure what for though?) that only works with a subset.

Yea I was contemplating that. SGTM

The new version only passes a Sanitizer option around, and mutating a trustedParserOptions.sanitizer doesn't affect the underlying sanitizer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants