HTML Sanitizer API - 原生的 JavaScript Security API

最近在 10 / 18,W3C 中的 Web Platform Incubator Community Group 發布了一項 HTML Sanitizer API 規範草案,此草案的目的是為了解決瀏覽器 XSS 攻擊的問題。不過因為才剛公佈,所以還沒有瀏覽器有支援。

如果想要體驗的話,可以調整瀏覽器的設定:
Chrome :about://flags/#enable-experimental-web-platform-features
Firefox:about:config将dom.security.sanitizer.enabled

主要的功能是允許開發者當接收到了不受信任的 HTML 字串和 Document 或 DocumentFragment 物件的時候,可以對其進行清理後再安全的插入到 DOM 中(講白話就是幫我們過濾)。
使用的了 Sanitizer API 的好處就是減少了使用第三方套件來處理。使用了原生的 API 之後也可以提升效能。

Sanitizer API Methods

Sanitizer API 提供了三種基本的清理方式

Element.setHTML():用於解析和清理 HTML 字串,並立即將其插入當前元素的 DOM。可以當作是安全版本的 Element.innerHTML

const unsanitized_string = "abc <script>alert(1)</script> def";  // Unsanitized string of HTML

const sanitizer = new Sanitizer();  // Default sanitizer;

// Get the Element with id "target" and set it with the sanitized string.
const target = document.getElementById("target");
target.setHTML(unsanitized_string, sanitizer);

console.log(target.innerHTML);
// "abc  def"

Sanitizer.sanitizeFor():用於解析和清理 HTML 字串,跟 Element.setHTML 不同的在於,並不會插入 DOM 中。

const unsanitized_string = "abc <script>alert(1)</script> def";  // Unsanitized string of HTML
const sanitizer = new Sanitizer();  // Default sanitizer;

// Sanitize the string
let sanitizedDiv = sanitizer.sanitizeFor("div", unsanitized_string);

//We can verify the returned element type, and view sanitized HTML in string form:
console.log( (sanitizedDiv instanceof HTMLDivElement) );
// true
console.log(sanitizedDiv.innerHTML)
// "abc  def"

// At some point later ...

// Get the element to update. This must be a div to match our sanitizeFor() context.
// Set its content to be the children of our sanitized element. 
document.querySelector("div#target").replaceChildren(sanitizedDiv.children);

Sanitizer.sanitize():清理 Document 或 DocumentFragment 中的資料。直接清理 DOM 中的結構。

const sanitizer = new Sanitizer();  // Default sanitizer;

// Get the frame and its Document object
const frame_element = document.getElementById("userFrame")
const unsantitized_frame_tree = frame_element.contentWindow.document;

// Sanitize the document tree and update the frame.
const sanitized_frame_tree = sanitizer.sanitize(unsanititized_frame_tree);
frame_element.replaceChildren(sanitized_frame_tree);

Reference

Did you find this article valuable?

Support 攻城獅 by becoming a sponsor. Any amount is appreciated!