1. 8.4 動的マークアップの挿入
      1. 8.4.1 入力ストリームを開く
      2. 8.4.2 入力ストリームを閉じる
      3. 8.4.3 document.write()
      4. 8.4.4 document.writeln()
    2. 8.5 DOM解析およびシリアライゼーションAPI
      1. 8.5.1 DOMParserインターフェイス
      2. 8.5.2 HTML parsing methods
      3. 8.5.3 HTMLシリアル化メソッド
      4. 8.5.4 innerHTMLプロパティ
      5. 8.5.5 outerHTMLプロパティ
      6. 8.5.6 insertAdjacentHTML()メソッド
      7. 8.5.7 createContextualFragment()メソッド
      8. 8.5.8 XMLSerializerインターフェイス
    3. 8.6 HTML sanitization
      1. 8.6.1 Introduction
        1. 8.6.1.1 Safe and unsafe
      2. 8.6.2 The Sanitizer interface
      3. 8.6.3 Sanitizer configuration
        1. 8.6.3.1 Configuration invariants
      4. 8.6.4 Sanitization algorithms
      5. 8.6.5 Sanitization constants
      6. 8.6.6 Security considerations
        1. 8.6.6.1 Server-side reflected and stored XSS
        2. 8.6.6.2 DOM clobbering
        3. 8.6.6.3 XSS with script gadgets
        4. 8.6.6.4 Mutation XSS

8.4 動的マークアップの挿入

マークアップを文書に動的に挿入するためのAPIはパーサーと相互作用するため、その動作は、HTML文書(およびHTMLパーサー)かXML文書(およびXMLパーサー)かのどちらで使用されるかによって異なる。

Document objects have a throw-on-dynamic-markup-insertion counter, which is used in conjunction with the create an element for the token algorithm to prevent custom element constructors from being able to use document.open(), document.close(), and document.write() when they are invoked by the parser. Initially, the counter must be set to zero.

8.4.1 入力ストリームを開く

document = document.open()

Document/open

Support in all current engines.

Firefox1+Safari11+Chrome64+
Opera51+Edge79+
Edge (Legacy)12+Internet Explorer4+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android47+

前のオブジェクトを再利用する場合を除き、あたかもそれが新しいDocumentオブジェクトであるかのように、Documentに正しい場所で置換され、その後返される。

結果として得られるDocumentはHTMLパーサーが関連付けられており、 document.write()を使用して解析するデータを与えることができる。

Documentがまだ解析されている場合、メソッドは効果がない。

DocumentXML文書である場合、"InvalidStateError" DOMExceptionを投げる。

パーサーがカスタム要素コンストラクターを現在実行している場合、"InvalidStateError" DOMExceptionを投げる。

window = document.open(url, name, features)

window.open()メソッドのように動作する。

Document objects have an active parser was aborted boolean, which is used to prevent scripts from invoking the document.open() and document.write() methods (directly or indirectly) after the document's active parser has been aborted. 最初はfalseである。

The document open steps, given a document, are as follows:

  1. If document is an XML document, then throw an "InvalidStateError" DOMException.

  2. If document's throw-on-dynamic-markup-insertion counter is greater than 0, then throw an "InvalidStateError" DOMException.

  3. Let entryDocument be the entry global object's associated Document.

  4. If document's origin is not same origin to entryDocument's origin, then throw a "SecurityError" DOMException.

  5. If document has an active parser whose script nesting level is greater than 0, then return document.

    This basically causes document.open() to be ignored when it's called in an inline script found during parsing, while still letting it have an effect when called from a non-parser task such as a timer callback or event handler.

  6. Similarly, if document's unload counter is greater than 0, then return document.

    This basically causes document.open() to be ignored when it's called from a beforeunload, pagehide, or unload event handler while the Document is being unloaded.

  7. If document's active parser was aborted is true, then return document.

    This notably causes document.open() to be ignored if it is called after a navigation has started, but only during the initial parse. See issue #4723 for more background.

  8. If document's node navigable is non-null and document's node navigable's ongoing navigation is a navigation ID, then stop loading document's node navigable.

  9. For each shadow-including inclusive descendant node of document, erase all event listeners and handlers given node.

  10. If document is the associated Document of document's relevant global object, then erase all event listeners and handlers given document's relevant global object.

  11. Replace all with null within document.

  12. If document is fully active:

    1. Let newURL be a copy of entryDocument's URL.

    2. If entryDocument is not document, then set newURL's fragment to null.

    3. Run the URL and history update steps with document and newURL.

  13. Set document's is initial about:blank to false.

  14. If document's iframe load in progress flag is set, then set document's mute iframe load flag.

  15. Set document to no-quirks mode.

  16. Create a new HTML parser and associate it with document. This is a script-created parser (meaning that it can be closed by the document.open() and document.close() methods, and that the tokenizer will wait for an explicit call to document.close() before emitting an end-of-file token). The encoding confidence is irrelevant.

  17. Set the insertion point to point at just before the end of the input stream (which at this point will be empty).

  18. Update the current document readiness of document to "loading".

    This causes a readystatechange event to fire, but the event is actually unobservable to author code, because of the previous step which erased all event listeners and handlers that could observe it.

  19. documentを返す。

The document open steps do not affect whether a Document is ready for post-load tasks or completely loaded.

The open(unused1, unused2) method must return the result of running the document open steps with this.

The unused1 and unused2 arguments are ignored, but kept in the IDL to allow code that calls the function with one or two arguments to continue working. They are necessary due to Web IDL overload resolution algorithm rules, which would throw a TypeError exception for such calls had the arguments not been there. whatwg/webidl issue #581 investigates changing the algorithm to allow for their removal. [WEBIDL]

The open(url, name, features) method must run these steps:

  1. If this is not fully active, then throw an "InvalidAccessError" DOMException.

  2. Return the result of running the window open steps with url, name, and features.

8.4.2 入力ストリームを閉じる

document.close()

Document/close

Support in all current engines.

Firefox1+Safari11+Chrome64+
Opera51+Edge79+
Edge (Legacy)12+Internet Explorer4+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android47+

document.open()メソッドによって開かれた入力ストリームを閉じる。

DocumentXML文書である場合、"InvalidStateError" DOMExceptionを投げる。

パーサーがカスタム要素コンストラクターを現在実行している場合、"InvalidStateError" DOMExceptionを投げる。

The close() method must run the following steps:

  1. If this is an XML document, then throw an "InvalidStateError" DOMException.

  2. If this's throw-on-dynamic-markup-insertion counter is greater than zero, then throw an "InvalidStateError" DOMException.

  3. If there is no script-created parser associated with this, then return.

  4. Insert an explicit "EOF" character at the end of the parser's input stream.

  5. If this's pending parsing-blocking script is not null, then return.

  6. Run the tokenizer, processing resulting tokens as they are emitted, and stopping when the tokenizer reaches the explicit "EOF" character or spins the event loop.

8.4.3 document.write()

document.write(...text)

Document/write

Support in all current engines.

Firefox1+Safari1+Chrome1+
Opera3+Edge79+
Edge (Legacy)12+Internet Explorer4+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android10.1+

一般に、与えられた文字列をDocumentの入力ストリームに加える。

このメソッドは非常に特異な振る舞いを持つ。一部の場合において、このメソッドは、パーサーが実行されている間、HTMLパーサーの状態に影響を与えることができる。その結果、文書のソースに対応しないDOMをもたらす(たとえば、記述された文字列が、文字列"<plaintext>"または"<!--"である場合)。他の例では、あたかもdocument.open()が呼び出されていたかのように、呼び出しが最初に現在のページをクリアできる。さらに多くの例では、メソッドは単に無視されるか、または例外を投げる。User agents are explicitly allowed to avoid executing script elements inserted via this method. さらに悪いことに、このメソッドの正確な動作は、場合によってはネットワーク遅延に依存する可能性があり、これはデバッグが非常に困難な障害につながる可能性がある。これらすべての理由から、このメソッドの使用は強く勧めない。

XML文書で呼び出されるとき、"InvalidStateError" DOMExceptionを投げる。

パーサーがカスタム要素コンストラクターを現在実行している場合、"InvalidStateError" DOMExceptionを投げる。

このメソッドは、scriptまたはイベントハンドラーコンテンツ属性のような潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

Document objects have an ignore-destructive-writes counter, which is used in conjunction with the processing of script elements to prevent external scripts from being able to use document.write() to blow away the document by implicitly calling document.open(). Initially, the counter must be set to zero.

The document write steps, given a Document object document, a list text, a boolean lineFeed, and a string sink, are as follows:

  1. Let string be the empty string.

  2. Let isTrusted be false if text contains a string; otherwise true.

  3. For each value of text:

    1. If value is a TrustedHTML object, then append value's associated data to string.

    2. Otherwise, append value to string.

  4. If isTrusted is false, set string to the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, string, sink, and "script".

  5. If lineFeed is true, append U+000A LINE FEED to string.

  6. If document is an XML document, then throw an "InvalidStateError" DOMException.

  7. If document's throw-on-dynamic-markup-insertion counter is greater than 0, then throw an "InvalidStateError" DOMException.

  8. If document's active parser was aborted is true, then return.

  9. If the insertion point is undefined:

    1. If document's unload counter is greater than 0 or document's ignore-destructive-writes counter is greater than 0, then return.

    2. Run the document open steps with document.

  10. Insert string into the input stream just before the insertion point.

  11. If document's pending parsing-blocking script is null, then have the HTML parser process string, one code point at a time, processing resulting tokens as they are emitted, and stopping when the tokenizer reaches the insertion point or when the processing of the tokenizer is aborted by the tree construction stage (this can happen if a script end tag token is emitted by the tokenizer).

    If the document.write() method was called from script executing inline (i.e. executing because the parser parsed a set of script tags), then this is a reentrant invocation of the parser. If the parser pause flag is set, the tokenizer will abort immediately and no HTML will be parsed, per the tokenizer's parser pause flag check.

The document.write(...text) method steps are to run the document write steps with this, text, false, and "Document write".

8.4.4 document.writeln()

document.writeln(...text)

Document/writeln

Support in all current engines.

Firefox1+Safari11+Chrome64+
Opera51+Edge79+
Edge (Legacy)12+Internet Explorer4+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android47+

改行文字の後に、与えられた文字列をDocumentの入力ストリームに加える。必要ならば、open()メソッドを暗黙のうちに最初に呼び出す。

このメソッドは非常に特異な振る舞いを持つ。Use of this method is strongly discouraged, for the same reasons as document.write().

XML文書で呼び出されるとき、"InvalidStateError" DOMExceptionを投げる。

パーサーがカスタム要素コンストラクターを現在実行している場合、"InvalidStateError" DOMExceptionを投げる。

このメソッドは、scriptまたはイベントハンドラーコンテンツ属性のような潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

The document.writeln(...text) method steps are to run the document write steps with this, text, true, and "Document writeln".

8.5 DOM解析およびシリアライゼーションAPI

DOMParser

Support in all current engines.

Firefox1+Safari1.3+Chrome1+
Opera8+Edge79+
Edge (Legacy)12+Internet Explorer9+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android10.1+
partial interface Element {
  [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {});
  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
  DOMString getHTML(optional GetHTMLOptions options = {});

  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) outerHTML;
  [CEReactions] undefined insertAdjacentHTML(DOMString position, (TrustedHTML or DOMString) string);
};

partial interface ShadowRoot {
  [CEReactions] undefined setHTML(DOMString html, optional SetHTMLOptions options = {});
  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html, optional SetHTMLUnsafeOptions options = {});
  DOMString getHTML(optional GetHTMLOptions options = {});

  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
};

enum SanitizerPresets { "default" };
dictionary SetHTMLOptions {
  (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = "default";
};
dictionary SetHTMLUnsafeOptions {
  (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {};
  boolean runScripts = false;
};
dictionary ParseHTMLUnsafeOptions {
  (Sanitizer or SanitizerConfig or SanitizerPresets) sanitizer = {};
};

dictionary GetHTMLOptions {
  boolean serializableShadowRoots = false;
  sequence<ShadowRoot> shadowRoots = [];
};

8.5.1 DOMParserインターフェイス

DOMParser インターフェイスは、HTMLまたはXMLのいずれかとして、文字列を解析することで新しいDocumentオブジェクトを作成することを可能にする。

parser = new DOMParser()

DOMParser/DOMParser

Support in all current engines.

Firefox1+Safari1.3+Chrome1+
Opera8+Edge79+
Edge (Legacy)12+Internet Explorer9+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android10.1+

新しいDOMParserオブジェクトを構築する。

document = parser.parseFromString(string, type)

DOMParser/parseFromString

Support in all current engines.

Firefox1+Safari1.3+Chrome1+
Opera8+Edge79+
Edge (Legacy)12+Internet Explorer9+
Firefox Android?Safari iOS?Chrome Android?WebView Android?Samsung Internet?Opera Android10.1+

typeに応じて、HTMLまたはXMLパーサーのいずれかを使用して文字列を解析し、結果のDocumentを返す。typeは、"text/html"(HTMLパーサーを呼び出す)、または"text/xml"、"application/xml"、"application/xhtml+xml"、もしくは"image/svg+xml"(XMLパーサーを呼び出す)。

XMLパーサーの場合、文字列を解析できない場合、返されるDocumentは、結果のエラーを説明する要素が含まれる。

script 要素は解析中に評価されず、結果の文書のエンコーディングは常にUTF-8となることに注意する。文書のURLは、parser関連するグローバルオブジェクトから継承される。

typeに上記以外の値を指定すると、TypeError例外が投げられる。

構築してからparseFromString()メソッドを呼び出す必要があるクラスとしてのDOMParserの設計は、不幸な歴史的成果物である。もし今日にこの機能を設計していたとしたら、それはスタンドアロン機能になっただろう。HTMLを解析する場合、現在の代替手段はDocument.parseHTMLUnsafe()である。

このメソッドは、scriptまたはイベントハンドラーコンテンツ属性のような潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

[Exposed=Window]
interface DOMParser {
  constructor();

  [NewObject] Document parseFromString((TrustedHTML or DOMString) string, DOMParserSupportedType type);
};

enum DOMParserSupportedType {
  "text/html",
  "text/xml",
  "application/xml",
  "application/xhtml+xml",
  "image/svg+xml"
};

The new DOMParser() constructor steps are to do nothing.

The parseFromString(string, type) method steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, string, "DOMParser parseFromString", and "script".

  2. Let document be a new Document, whose content type is type and URL is this's relevant global object's associated Document's URL.

    The document's encoding will be left as its default, of UTF-8. In particular, any XML declarations or meta elements found while parsing compliantString will have no effect.

  3. Switch on type:

    "text/html"

    1. Parse HTML from a string given document and compliantString.

    Since document does not have a browsing context, scripting is disabled.

    Otherwise

    1. Create an XML parser parser, associated with document, and with XML scripting support disabled.

    2. Parse compliantString using parser.

    3. If the previous step resulted in an XML well-formedness or XML namespace well-formedness error:

      1. Assert: document has no child nodes.

      2. Let root be the result of creating an element given document, "parsererror", and "http://www.mozilla.org/newlayout/xml/parsererror.xml".

      3. Optionally, add attributes or children to root to describe the nature of the parsing error.

      4. Append root to document.

  4. documentを返す。

To parse HTML from a string, given a Document document and a string html:

  1. Set document's type to "html".

  2. Create an HTML parser parser, associated with document.

  3. Place html into the input stream for parser. The encoding confidence is irrelevant.

  4. Start parser and let it run until it has consumed all the characters just inserted into the input stream.

    This might mutate the document's mode.

8.5.2 HTML parsing methods

element.setHTML(html, options)

Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

shadowRoot.setHTML(html, options)

Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. The parsed fragment is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

element.setHTMLUnsafe(html, options)

Parses html using the HTML parser with options options, and replaces the children of element with the result. element provides context for the HTML parser. If the options dictionary contains a "sanitizer" member, it is used to sanitize the parsed fragment before it is inserted into element. If the options dictionary's "runScripts" member is true, scripts contained in html will be executed immediately after the node tree is updated.

shadowRoot.setHTMLUnsafe(html, options)

Parses html using the HTML parser with options options, and replaces the children of shadowRoot with the result. shadowRoot's host provides context for the HTML parser. If the options dictionary contains a "sanitizer" member, it is used to sanitize the parsed fragment before it is inserted into shadowRoot. If the options dictionary's "runScripts" member is true, scripts contained in html will be executed immediately after the node tree is updated.

doc = Document.parseHTML(html, options)

Parses html using the HTML parser with options options, and returns a new Document containing the result. The resulting document is sanitized based on the options's "sanitizer" member, and unsafe content is removed.

doc = Document.parseHTMLUnsafe(html, options)

Parses html using the HTML parser with options options, and returns the resulting Document.

script 要素は解析中に評価されず、結果の文書のエンコーディングは常にUTF-8となることに注意する。文書のURLは、about:blankになる。If the options dictionary contains a "sanitizer" member, it is used to sanitize the resulting DOM.

The methods with an Unsafe suffix perform no sanitization to remove potentially-dangerous elements and attributes like script or event handler content attributes.

Element's setHTML(html, options) method steps are:

  1. Let target be this's template contents if this is a template element; otherwise this.

  2. Set and filter HTML given target, this, html, options, and true.

ShadowRoot's setHTML(html, options) method steps are:

  1. Set and filter HTML given this, this's shadow host, html, options, and true.

Element's setHTMLUnsafe(html, options) method steps are:

  1. Let compliantHTML be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, html, "Element setHTMLUnsafe", and "script".

  2. Let target be this's template contents if this is a template element; otherwise this.

  3. Set and filter HTML given target, this, compliantHTML, options, and false.

ShadowRoot's setHTMLUnsafe(html, options) method steps are:

  1. Let compliantHTML be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, html, "ShadowRoot setHTMLUnsafe", and "script".

  2. Set and filter HTML given this, this's shadow host, compliantHTML, options, and false.

The static parseHTML(html, options) method steps are:

  1. Let document be a new Document, whose content type is "text/html".

    Since document does not have a browsing context, scripting is disabled.

  2. Set document's allow declarative shadow roots to true.

  3. Parse HTML from a string given document and html.

  4. Let sanitizer be the result of calling get a sanitizer instance from options with options and true.

  5. Call sanitize on document with sanitizer and true.

  6. documentを返す。

The static parseHTMLUnsafe(html, options) method steps are:

  1. Let compliantHTML be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, html, "Document parseHTMLUnsafe", and "script".

  2. Let document be a new Document, whose content type is "text/html".

    Since document does not have a browsing context, scripting is disabled.

  3. Set document's allow declarative shadow roots to true.

  4. Parse HTML from a string given document and compliantHTML.

  5. Let sanitizer be the result of calling get a sanitizer instance from options with options and false.

  6. Call sanitize on document with sanitizer and false.

  7. documentを返す。

8.5.3 HTMLシリアル化メソッド

html = element.getHTML({ serializableShadowRoots, shadowRoots })

elementをHTMLにシリアル化した結果を返す。element内のシャドウルートは、指定されたオプションに従ってシリアル化される。

どちらのオプションも指定しない場合、シャドウルートはシリアル化されない。

html = shadowRoot.getHTML({ serializableShadowRoots, shadowRoots })

コンテキスト要素としてシャドウホストを使用して、shadowRootをHTMLにシリアル化した結果を返す。shadowRoot内のシャドウルートは、上記のように、指定されたオプションに従ってシリアル化される。

Element's getHTML(options) method steps are to return the result of HTML fragment serialization algorithm with this, options["serializableShadowRoots"], and options["shadowRoots"].

ShadowRoot's getHTML(options) method steps are to return the result of HTML fragment serialization algorithm with this, options["serializableShadowRoots"], and options["shadowRoots"].

8.5.4 innerHTMLプロパティ

innerHTMLプロパティには、DOM Parsing and Serialization issue trackerに未解決の問題が多数あり、その仕様に関するさまざまな問題が文書化されている。

element.innerHTML

要素の内容を表すHTMLまたはXMLのフラグメントを返す。

XML文書の場合、要素をXMLにシリアル化できない場合、"InvalidStateError" DOMExceptionを投げる。

element.innerHTML = value

要素の内容を、指定された文字列から解析されたノードに置き換える。

XML文書の場合、指定した文字列が整形式でない場合、"SyntaxError" DOMExceptionを投げる。

shadowRoot.innerHTML

シャドウルートの内容を表すHTMLのフラグメントを返す。

shadowRoot.innerHTML = value

シャドウルートの内容を、指定した文字列から解析されたノードに置き換える。

これらのプロパティのセッターは、scriptまたはイベントハンドラーコンテンツ属性などの潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

The fragment serializing algorithm steps, given an Element, Document, or DocumentFragment node and a boolean require well-formed, are:

  1. Let context document be node's node document.

  2. If context document is an HTML document, return the result of HTML fragment serialization algorithm with node, false, and « ».

  3. Return the XML serialization of node given require well-formed.

The fragment parsing algorithm steps, given an Element context, a string markup, and an optional parser scripting mode scriptingMode (default Inert), are:

  1. Assert: scriptingMode is either Inert or Fragment.

  2. Let newChildren be null.

  3. If context's node document is an XML document, then set newChildren to the result of invoking the XML fragment parsing algorithm given context and markup.

  4. Otherwise, set newChildren to the result of invoking the HTML fragment parsing algorithm given context, markup, false, and scriptingMode.

  5. Let fragment be a new DocumentFragment whose node document is context's node document.

  6. For each node of newChildren, in tree order: append node to fragment.

    This ensures the node document for the new nodes is correct.

  7. Return fragment.

Element's innerHTML getter steps are to return the result of running fragment serializing algorithm steps with this and true.

ShadowRoot's innerHTML getter steps are to return the result of running fragment serializing algorithm steps with this and true.

Element's innerHTML setter steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, the given value, "Element innerHTML", and "script".

  2. Let context be this.

  3. Let fragment be the result of invoking the fragment parsing algorithm steps with context and compliantString.

  4. If context is a template element, then set context to the template element's template contents (a DocumentFragment).

    Setting innerHTML on a template element will replace all the nodes in its template contents rather than its children.

  5. Replace all with fragment within context.

ShadowRoot's innerHTML setter steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, the given value, "ShadowRoot innerHTML", and "script".

  2. Let context be this's host.

  3. Let fragment be the result of invoking the fragment parsing algorithm steps with context and compliantString.

  4. Replace all with fragment within this.

8.5.5 outerHTMLプロパティ

outerHTMLプロパティには、DOM Parsing and Serialization issue trackerに未解決の問題が多数あり、その仕様に関するさまざまな問題が文書化されている。

element.outerHTML

要素とその内容を表すHTMLまたはXMLのフラグメントを返す。

XML文書の場合、要素をXMLにシリアル化できない場合、"InvalidStateError" DOMExceptionを投げる。

element.outerHTML = value

要素を、指定された文字列から解析されたノードに置き換える。

XML文書の場合、指定した文字列が整形式でない場合、"SyntaxError" DOMExceptionを投げる。

要素の親がDocumentである場合、"NoModificationAllowedError" DOMExceptionを返す。

このプロパティのセッターは、scriptまたはイベントハンドラーコンテンツ属性などの潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

Element's outerHTML getter steps are:

  1. Let element be a fictional node whose only child is this.

  2. Return the result of running fragment serializing algorithm steps with element and true.

Element's outerHTML setter steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, the given value, "Element outerHTML", and "script".

  2. Let parent be this's parent.

  3. If parent is null, return. There would be no way to obtain a reference to the nodes created even if the remaining steps were run.

  4. If parent is a Document, throw a "NoModificationAllowedError" DOMException.

  5. If parent is a DocumentFragment, set parent to the result of creating an element given this's node document, "body", and the HTML namespace.

  6. Let fragment be the result of invoking the fragment parsing algorithm steps given parent and compliantString.

  7. Replace this with fragment within this's parent.

8.5.6 insertAdjacentHTML()メソッド

insertAdjacentHTML()メソッドには、DOM Parsing and Serialization issue trackerに未解決の問題が多数あり、その仕様に関するさまざまな問題が文書化されている。

element.insertAdjacentHTML(position, string)

stringをHTMLまたはXMLとして解析し、結果のノードを次のようにposition引数で指定された位置にツリーに挿入する:

"beforebegin"
要素自体の前(つまり、elementの前の兄弟の後)
"afterbegin"
要素のすぐ内側で、最初の子の前。
"beforeend"
要素の内部で、最後の子の後。
"afterend"
要素自体の前(つまり、elementの次の兄弟の前)

引数に無効な値が含まれている場合に"SyntaxError" DOMExceptionを投げる(たとえば、XML文書の場合、指定された文字列が整形式でない場合)。

指定した位置が使用できない場合に"NoModificationAllowedError" DOMExceptionを投げる(たとえば、Documentのルート要素の後に要素を挿入する場合など)。

このメソッドは、scriptまたはイベントハンドラーコンテンツ属性のような潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

Element's insertAdjacentHTML(position, string) method steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, string, "Element insertAdjacentHTML", and "script".

  2. Let context be null.

  3. Use the first matching item from this list:

    If position is an ASCII case-insensitive match for the string "beforebegin"
    If position is an ASCII case-insensitive match for the string "afterend"

    1. Set context to this's parent.

    2. If context is null or a Document, throw a "NoModificationAllowedError" DOMException.

    If position is an ASCII case-insensitive match for the string "afterbegin"
    If position is an ASCII case-insensitive match for the string "beforeend"
    Set context to this.
    そうでなければ

    Throw a "SyntaxError" DOMException.

  4. If context is not an Element or all of the following are true:

    then set context to the result of creating an element given this's node document, "body", and the HTML namespace.

  5. Let fragment be the result of invoking the fragment parsing algorithm steps with context and compliantString.

  6. Use the first matching item from this list:
    If position is an ASCII case-insensitive match for the string "beforebegin"

    Insert fragment into this's parent before this.

    If position is an ASCII case-insensitive match for the string "afterbegin"

    Insert fragment into this before its first child.

    If position is an ASCII case-insensitive match for the string "beforeend"

    Append fragment to this.

    If position is an ASCII case-insensitive match for the string "afterend"

    Insert fragment into this's parent before this's next sibling.

As with other direct Node-manipulation APIs (and unlike innerHTML), insertAdjacentHTML() does not include any special handling for template elements. In most cases you will want to use templateEl.content.insertAdjacentHTML() instead of directly manipulating the child nodes of a template element.

8.5.7 createContextualFragment()メソッド

createContextualFragment()メソッドには、DOM Parsing and Serialization issue trackerに未解決の問題が多数あり、その仕様に関するさまざまな問題が文書化されている。

docFragment = range.createContextualFragment(string)

fragmentが解析されるコンテキストとしてrange開始ノードを使用して、マークアップ文字列stringから作成された DocumentFragmentを返す。

このメソッドは、scriptまたはイベントハンドラーコンテンツ属性のような潜在的に危険な要素および属性を削除するためのサニタイズを実行しない。

partial interface Range {
  [CEReactions, NewObject] DocumentFragment createContextualFragment((TrustedHTML or DOMString) string);
};

Range's createContextualFragment(string) method steps are:

  1. Let compliantString be the result of invoking the get trusted type compliant string algorithm with TrustedHTML, this's relevant global object, string, "Range createContextualFragment", and "script".

  2. Let node be this's start node.

  3. Let element be null.

  4. If node implements Element, set element to node.

  5. Otherwise, if node implements Text or Comment, set element to node's parent element.

  6. If element is null or all of the following are true:

    then set element to the result of creating an element given this's node document, "body", and the HTML namespace.

  7. Return the result of invoking the fragment parsing algorithm steps with element, compliantString, and Fragment.

8.5.8 XMLSerializerインターフェイス

XMLSerializeインターフェイスには、DOM Parsing and Serialization issue trackerに未解決の問題が多数あり、その仕様に関するさまざまな問題が文書化されている。DOM Parsing and Serializationの残りの部分は、この仕様に徐々にアップストリームされまる。

xmlSerializer = new XMLSerializer()

新しいXMLSerializerオブジェクトを構築する。

string = xmlSerializer.serializeToString(root)

rootをXMLにシリアル化した結果を返す。

rootをXMLにシリアル化できない場合、"InvalidStateError" DOMExceptionを投げる。

構築してからserializeToString()メソッドを呼び出す必要があるクラスとしてのXMLSerializerの設計は、不幸な歴史的成果物である。もし今日にこの機能を設計していたとしたら、それはスタンドアロン機能になっただろう。

[Exposed=Window]
interface XMLSerializer {
  constructor();

  DOMString serializeToString(Node root);
};

The new XMLSerializer() constructor steps are to do nothing.

The serializeToString(root) method steps are:

  1. Return the XML serialization of root given false.

8.6 HTML sanitization

8.6.1 Introduction

この節は非規範的である。

Web applications often need to process untrusted HTML strings, such as when rendering user-generated content or using client-side templates. Safely inserting these strings into the DOM requires careful sanitization to prevent DOM-based cross-site scripting (XSS) attacks.

HTML sanitization provides a native mechanism for safely parsing and sanitizing HTML strings. By using the user agent's own HTML parser, they ensure the sanitized output accurately reflects how the browser will render the content, preventing script execution and mitigating advanced attacks such as script gadgets.

These APIs offer functionality to parse a string containing HTML into a DOM tree, and to filter the resulting tree according to a user-supplied configuration. The methods come in two main flavors: "safe" and "unsafe".

8.6.1.1 Safe and unsafe

The "safe" methods will not generate any markup that executes script. That is, they are intended to be safe from XSS. The "unsafe" methods will parse and filter based on the provided configuration, but do not have the same safety guarantees by default.

8.6.2 The Sanitizer interface

[Exposed=Window]
interface Sanitizer {
  constructor(optional (SanitizerConfig or SanitizerPresets) configuration = "default");

  // Query configuration:
  SanitizerConfig get();

  // Modify a Sanitizer's lists and fields:
  boolean allowElement(SanitizerElementWithAttributes element);
  boolean removeElement(SanitizerElement element);
  boolean replaceElementWithChildren(SanitizerElement element);
  boolean allowProcessingInstruction(SanitizerPI pi);
  boolean removeProcessingInstruction(SanitizerPI pi);
  boolean allowAttribute(SanitizerAttribute attribute);
  boolean removeAttribute(SanitizerAttribute attribute);
  boolean setComments(boolean allow);
  boolean setDataAttributes(boolean allow);

  // Remove markup that executes script.
  boolean removeUnsafe();
};
config = sanitizer.get()

Returns a copy of the sanitizer's configuration.

sanitizer.allowElement(element)

Ensures that the sanitizer configuration allows the specified element.

sanitizer.removeElement(element)

Ensures that the sanitizer configuration blocks the specified element.

sanitizer.replaceElementWithChildren(element)

Configures the sanitizer to remove the specified element but keep its child nodes.

sanitizer.allowAttribute(attribute)

Configures the sanitizer to allow the specified attribute globally.

sanitizer.removeAttribute(attribute)

Configures the sanitizer to block the specified attribute globally.

sanitizer.allowProcessingInstruction(pi)

Configures the sanitizer to allow the specified processing instruction.

sanitizer.removeProcessingInstruction(pi)

Configures the sanitizer to block the specified processing instruction.

sanitizer.setComments(allow)

Sets whether the sanitizer preserves comments.

sanitizer.setDataAttributes(allow)

Sets whether the sanitizer preserves custom data attributes (e.g., data-*).

sanitizer.removeUnsafe()

Modifies the configuration to automatically remove elements and attributes that are considered unsafe.

A Sanitizer object has an associated configuration, which is a SanitizerConfig.

The new Sanitizer(configuration) constructor steps are:

  1. If configuration is a SanitizerPresets string:

    1. Assert: configuration is "default".

    2. Set configuration to the built-in safe default configuration.

  2. Configure this given configuration and true.

To configure a Sanitizer sanitizer, given a dictionary configuration and a boolean allowCommentsPIsAndDataAttributes:

  1. Canonicalize the configuration configuration with allowCommentsPIsAndDataAttributes.

  2. If configuration is not valid, then throw a TypeError.

  3. Set sanitizer's configuration to configuration.

To canonicalize the configuration SanitizerConfig configuration with a boolean allowCommentsPIsAndDataAttributes:

  1. If neither configuration["elements"] nor configuration["removeElements"] exists, then set configuration["removeElements"] to an empty list.

  2. If neither configuration["attributes"] nor configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to an empty list.

  3. If neither configuration["processingInstructions"] nor configuration["removeProcessingInstructions"] exists:

    1. If allowCommentsPIsAndDataAttributes is true, then set configuration["removeProcessingInstructions"] to an empty list.

    2. Otherwise, set configuration["processingInstructions"] to an empty list.

  4. If configuration["elements"] exists:

    1. Let newElements be « ».

    2. For each element of configuration["elements"], append the result of canonicalizing element to newElements.

    3. Set configuration["elements"] to newElements.

  5. If configuration["removeElements"] exists, then set configuration["removeElements"] to the result of canonicalizing configuration["removeElements"].

  6. If configuration["attributes"] exists, then set configuration["attributes"] to the result of canonicalizing configuration["attributes"].

  7. If configuration["removeAttributes"] exists, then set configuration["removeAttributes"] to the result of canonicalizing configuration["removeAttributes"].

  8. If configuration["replaceWithChildrenElements"] exists, then set configuration["replaceWithChildrenElements"] to the result of canonicalizing configuration["replaceWithChildrenElements"].

  9. If configuration["processingInstructions"] exists, then set configuration["processingInstructions"] to the result of canonicalizing configuration["processingInstructions"].

  10. If configuration["removeProcessingInstructions"] exists, then set configuration["removeProcessingInstructions"] to the result of canonicalizing configuration["removeProcessingInstructions"].

  11. If configuration["comments"] does not exist, then set it to allowCommentsPIsAndDataAttributes.

  12. If configuration["attributes"] exists and configuration["dataAttributes"] does not exist, then set it to allowCommentsPIsAndDataAttributes.

To canonicalize a sanitizer list list:

  1. Let newList be « ».

  2. For each item in list, append the result of canonicalizing item to newList.

  3. Return newList.

To canonicalize a processing instruction list list:

  1. Let newList be « ».

  2. For each item in list, append the result of canonicalizing item to newList.

  3. Return newList.

To canonicalize a processing instruction given a SanitizerPI pi:

  1. If pi is a DOMString, then return «[ "target" → pi ]».

  2. Assert: pi is a dictionary and pi["target"] exists.

  3. Return «[ "target" → pi["target"] ]».

To canonicalize a sanitizer name given a DOMString or dictionary name, and a default namespace defaultNamespace (default null):

  1. If name is a DOMString, then return «[ "name" → name, "namespace" → defaultNamespace ]».

  2. Assert: name is a dictionary and both name["name"] and name["namespace"] exist.

  3. If name["namespace"] is the empty string, then set it to null.

  4. Return «[ "name" → name["name"], "namespace" → name["namespace"] ]».

To canonicalize a sanitizer element given a SanitizerElement element:

  1. Return the result of canonicalizing element with the HTML namespace as the default namespace.

To canonicalize a sanitizer element list list:

  1. Let newList be « ».

  2. For each item in list, append the result of canonicalizing item to newList.

  3. Return newList.

To find the canonicalized intersection of lists A and B:

  1. Let setA be « ».

  2. Let setB be « ».

  3. For each entry of A, append the result of canonicalizing entry to setA.

  4. For each entry of B, append the result of canonicalizing entry to setB.

  5. Return the intersection of setA and setB.

The get() method steps are:

Outside of the get() method, the order of the Sanitizer's elements and attributes is unobservable. By explicitly sorting the result of this method, we give implementations the opportunity to optimize by, for example, using unordered sets internally.

  1. Let config be this's configuration.

  2. Assert: config is valid.

  3. If config["elements"] exists:

    1. For each element of config["elements"]:

      1. If element["attributes"] exists, then set element["attributes"] to the result of sorting element["attributes"], with compare sanitizer items.

      2. If element["removeAttributes"] exists, then set element["removeAttributes"] to the result of sorting element["removeAttributes"], with compare sanitizer items.

    2. Set config["elements"] to the result of sorting config["elements"], with compare sanitizer items.

  4. Otherwise:

    1. Set config["removeElements"] to the result of sorting config["removeElements"], with compare sanitizer items.

  5. If config["replaceWithChildrenElements"] exists, then set config["replaceWithChildrenElements"] to the result of sorting config["replaceWithChildrenElements"], with compare sanitizer items.

  6. If config["processingInstructions"] exists, then set config["processingInstructions"] to the result of sorting config["processingInstructions"], with piA["target"] being code unit less than piB["target"].

  7. Otherwise:

    1. Set config["removeProcessingInstructions"] to the result of sorting config["removeProcessingInstructions"], with piA["target"] being code unit less than piB["target"].

  8. If config["attributes"] exists, then set config["attributes"] to the result of sorting config["attributes"] given compare sanitizer items.

  9. Otherwise:

    1. Set config["removeAttributes"] to the result of sorting config["removeAttributes"] given compare sanitizer items.

  10. Return config.

The allowElement(element) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. Set element to the result of canonicalizing element.

  4. If configuration["elements"] exists:

    1. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

    2. If configuration["attributes"] exists:

      1. If element["attributes"] exists:

        1. Set element["attributes"] to the result of creating a set from element["attributes"].

        2. Set element["attributes"] to the difference of element["attributes"] and configuration["attributes"].

        3. If configuration["dataAttributes"] is true, then remove all items item from element["attributes"] where item is a custom data attribute.

      2. If element["removeAttributes"] exists:

        1. Set element["removeAttributes"] to the result of creating a set from element["removeAttributes"].

        2. Set element["removeAttributes"] to the intersection of element["removeAttributes"] and configuration["attributes"].

    3. Otherwise:

      1. If element["attributes"] exists:

        1. Set element["attributes"] to the result of creating a set from element["attributes"].

        2. Set element["attributes"] to the difference of element["attributes"] and element["removeAttributes"] with default « ».

        3. Remove element["removeAttributes"].

        4. Set element["attributes"] to the difference of element["attributes"] and configuration["removeAttributes"].

      2. If element["removeAttributes"] exists:

        1. Set element["removeAttributes"] to the result of creating a set from element["removeAttributes"].

        2. Set element["removeAttributes"] to the difference of element["removeAttributes"] and configuration["removeAttributes"].

    4. If configuration["elements"] does not contain element:

      1. Append element to configuration["elements"].

      2. Return true.

    5. Let currentElement be the item in configuration["elements"] whose name member is element's name member and whose namespace member is element's namespace member.

    6. If element is equal to currentElement, then return modified.

    7. Remove element from configuration["elements"].

    8. Append element to configuration["elements"].

    9. Return true.

  5. Otherwise:

    1. If element["attributes"] exists or element["removeAttributes"] with default « » is not empty, then return false.

    2. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

    3. If configuration["removeElements"] does not contain element, then return modified.

    4. Remove element from configuration["removeElements"].

    5. Return true.

The removeElement(element) method steps are to return the result of removing element from this's configuration.

The replaceElementWithChildren(element) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. Set element to the result of canonicalizing element.

  4. If the built-in non-replaceable elements list contains element, then return false.

  5. Let modified be the result of removing element from configuration["elements"].

  6. If removing element from configuration["removeElements"] is true, then set modified to true.

  7. If configuration["replaceWithChildrenElements"] does not contain element:

    1. Append element to configuration["replaceWithChildrenElements"].

    2. Return true.

  8. Return modified.

The allowAttribute(attribute) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. Set attribute to the result of canonicalizing attribute.

  4. If configuration["attributes"] exists:

    1. If configuration["dataAttributes"] is true and attribute is a custom data attribute, then return false.

    2. If configuration["attributes"] contains attribute, then return false.

    3. If configuration["elements"] exists:

      1. For each element in configuration["elements"]:

        1. If element["attributes"] with default « » contains attribute, then remove attribute from element["attributes"].

    4. Append attribute to configuration["attributes"].

    5. Return true.

  5. Otherwise:

    1. If configuration["removeAttributes"] does not contain attribute, then return false.

    2. Remove attribute from configuration["removeAttributes"].

    3. Return true.

The removeAttribute(attribute) method steps are to return the result of removing attribute from this's configuration.

The setComments(allow) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. If configuration["comments"] exists and is equal to allow, then return false.

  4. Set configuration["comments"] to allow.

  5. Return true.

The setDataAttributes(allow) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. If configuration["attributes"] does not exist, then return false.

  4. If configuration["dataAttributes"] exists and is equal to allow, then return false.

  5. If allow is true:

    1. If configuration["elements"] exists:

      1. For each element of configuration["elements"]:

        1. If element["attributes"] exists, then remove all items item from element["attributes"] where item is a custom data attribute.

    2. Remove all items item from configuration["attributes"] where item is a custom data attribute.

  6. Set configuration["dataAttributes"] to allow.

  7. Return true.

The allowProcessingInstruction(pi) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. Set pi to the result of canonicalizing pi.

  4. If configuration["processingInstructions"] exists:

    1. If configuration["processingInstructions"] contains pi, then return false.

    2. Append pi to configuration["processingInstructions"].

    3. Return true.

  5. Otherwise:

    1. If configuration["removeProcessingInstructions"] contains pi:

      1. Remove pi from configuration["removeProcessingInstructions"].

      2. Return true.

    2. falseを返す。

The removeProcessingInstruction(pi) method steps are:

  1. Let configuration be this's configuration.

  2. Assert: configuration is valid.

  3. Set pi to the result of canonicalizing pi.

  4. If configuration["processingInstructions"] exists:

    1. If configuration["processingInstructions"] contains pi:

      1. Remove pi from configuration["processingInstructions"].

      2. Return true.

    2. falseを返す。

  5. Otherwise:

    1. If configuration["removeProcessingInstructions"] contains pi, then return false.

    2. Append pi to configuration["removeProcessingInstructions"].

    3. Return true.

The removeUnsafe() method steps are to return the result of removing unsafe from this's configuration.

8.6.3 Sanitizer configuration

dictionary SanitizerElementNamespace {
  required DOMString name;
  DOMString? _namespace = "http://www.w3.org/1999/xhtml";
};

// Used by "elements"
dictionary SanitizerElementNamespaceWithAttributes : SanitizerElementNamespace {
  sequence<SanitizerAttribute> attributes;
  sequence<SanitizerAttribute> removeAttributes;
};

dictionary SanitizerAttributeNamespace {
  required DOMString name;
  DOMString? _namespace = null;
};

dictionary SanitizerProcessingInstruction {
  required DOMString target;
};

typedef (DOMString or SanitizerElementNamespace) SanitizerElement;
typedef (DOMString or SanitizerElementNamespaceWithAttributes) SanitizerElementWithAttributes;
typedef (DOMString or SanitizerProcessingInstruction) SanitizerPI;
typedef (DOMString or SanitizerAttributeNamespace) SanitizerAttribute;

dictionary SanitizerConfig {
  sequence<SanitizerElementWithAttributes> elements;
  sequence<SanitizerElement> removeElements;
  sequence<SanitizerElement> replaceWithChildrenElements;

  sequence<SanitizerPI> processingInstructions;
  sequence<SanitizerPI> removeProcessingInstructions;

  sequence<SanitizerAttribute> attributes;
  sequence<SanitizerAttribute> removeAttributes;

  boolean comments;
  boolean dataAttributes;
};

SanitizerElementNamespace, SanitizerAttributeNamespace, SanitizerElementNamespaceWithAttributes, and SanitizerProcessingInstruction dictionaries are considered equal when all of their members are equal.

Equality should be defined in the infra spec instead. See issue #664.

8.6.3.1 Configuration invariants

この節は非規範的である。

Configurations can and ought to be modified by developers to suit their purposes. Options are to write a new SanitizerConfig dictionary from scratch, to modify an existing Sanitizer's configuration by using the modifier methods, or to get() an existing Sanitizer's configuration as a dictionary and modify the dictionary and then create a new Sanitizer with it.

An empty configuration allows everything (when called with the "unsafe" methods like setHTMLUnsafe()). A configuration "default" contains a built-in safe default configuration. Note that "safe" and "unsafe" sanitizer methods have different defaults.

Not all configuration dictionaries are valid. A valid configuration avoids redundancy (like specifying the same element to be allowed twice) and contradictions (like specifying an element to be both removed and allowed.)

Several conditions need to hold for a configuration to be valid:

The elements element allow-list can also specify allowing or removing attributes for a given element. This is meant to mirror this standard's structure, which knows both global attributes as well as local attributes that apply to a specific element. Global and local attributes can be mixed, but note that ambiguous configurations where a particular attribute would be allowed by one list and forbidden by another, are generally invalid.

global attributesglobal removeAttributes
local attributesAn attribute is allowed if it matches either list. No duplicates are allowed.An attribute is only allowed if it's in the local allow list. No duplicate entries between global remove and local allow lists are allowed. Note that the global remove list has no function for this particular element, but can apply to other elements that do not have a local allow list.
local removeAttributesAn attribute is allowed if it's in the global allow-list, but not in the local remove-list. Local remove has to be a subset of the global allow lists.An attribute is allowed if it is in neither list. No duplicate entries between global remove and local remove lists are allowed.

Please note the asymmetry where mostly no duplicates between global and per-element lists are permitted, but in the case of a global allow-list and a per-element remove-list the latter has to be a subset of the former. An excerpt of the table above, only focusing on duplicates, is as follows:

global attributesglobal removeAttributes
local attributesNo duplicates are allowed.No duplicates are allowed.
local removeAttributesLocal remove has to be a subset of the global allow lists.No duplicates are allowed.

The dataAttributes setting allows custom data attributes. The rules above easily extends to custom data attributes if one considers dataAttributes to be an allow-list:

global attributes and dataAttributes set
local attributesAll custom data attributes are allowed. No custom data attributes can be listed in any allow-list, as that would mean a duplicate entry.
local removeAttributesA custom data attribute is allowed, unless it's listed in the local remove-list. No custom data attribute can be listed in the global allow-list, as that would mean a duplicate entry.

Putting these rules in words:

8.6.4 Sanitization algorithms

To set and filter HTML, given an Element or DocumentFragment target, an Element contextElement, a string html, a dictionary options, and a boolean safe:

  1. If all of the following are true:

    then return.

  2. Let sanitizer be the result of calling getting a sanitizer from options given safe.

  3. Let scriptingMode be Inert.

  4. If options["runScripts"] is true:

    1. Assert: safe is false.

    2. Set scriptingMode to Fragment.

  5. Let newChildren be the result of parsing a fragment given contextElement, html, true, and scriptingMode.

    Scripts in newChildren will only execute once inserted into target.

  6. Let fragment be a new DocumentFragment whose node document is contextElement's node document.

  7. For each node in newChildren, append node to fragment.

  8. Sanitize fragment given sanitizer and safe.

  9. Replace all with fragment within target.

To get a sanitizer instance from options from a dictionary options with a boolean safe:

  1. Let sanitizerSpec be "default".

  2. If options["sanitizer"] exists, then set sanitizerSpec to options["sanitizer"].

  3. Assert: sanitizerSpec is either a Sanitizer instance, a SanitizerPresets member, or a SanitizerConfig dictionary.

  4. If sanitizerSpec is a string:

    1. Assert: sanitizerSpec is "default".

    2. Set sanitizerSpec to the built-in safe default configuration.

  5. If sanitizerSpec is a dictionary:

    1. Let sanitizer be a new Sanitizer object.

    2. Let allowCommentsAndDataAttributes be true if safe is false; false otherwise.

    3. Configure sanitizer given sanitizerSpec and allowCommentsAndDataAttributes.

    4. Set sanitizerSpec to sanitizer.

  6. Return sanitizerSpec.

To sanitize a Node node with a Sanitizer sanitizer and a boolean safe:

  1. Let configuration be sanitizer's configuration.

  2. Assert: configuration is valid.

  3. If safe is true, then remove unsafe from configuration.

  4. Run the inner sanitize steps given node, configuration, and safe.

To perform the inner sanitize steps given a Node node, a SanitizerConfig configuration, and a boolean handleJavascriptNavigationUrls:

  1. For each child of node's children:

    1. Assert: child is a Text, Comment, Element, ProcessingInstruction, or DocumentType node.

    2. If child is a DocumentType or Text node, then continue.

    3. If child is a Comment node:

      1. If configuration["comments"] is not true, then remove child.

      2. Continue.

    4. If child is a ProcessingInstruction node:

      1. Let piTarget be child's target.

      2. If configuration["processingInstructions"] exists:

        1. If configuration["processingInstructions"] does not contain piTarget, then remove child.

      3. Otherwise:

        1. If configuration["removeProcessingInstructions"] contains piTarget, then remove child.

    5. Otherwise:

      1. Let elementName be a SanitizerElementNamespace with child's local name and namespace.

      2. If configuration["replaceWithChildrenElements"] exists and configuration["replaceWithChildrenElements"] contains elementName:

        1. Assert: node is not a Document.

        2. Run the inner sanitize steps given child, configuration, and handleJavascriptNavigationUrls.

        3. Let fragment be a new DocumentFragment whose node document is node's node document.

        4. For each innerChild of child's children, append innerChild to fragment.

        5. Replace child with fragment within node. Assert that this did not throw.

        6. Continue.

      3. If configuration["elements"] exists:

        1. If configuration["elements"] does not contain elementName, then remove child and continue.

      4. Otherwise:

        1. If configuration["removeElements"] contains elementName, then remove child and continue.

      5. If elementName["name"] is "template" and elementName["namespace"] is the HTML namespace, then run the inner sanitize steps given child's template contents, configuration, and handleJavascriptNavigationUrls.

      6. If child is a shadow host, then run the inner sanitize steps given child's shadow root, configuration, and handleJavascriptNavigationUrls.

      7. Let elementWithLocalAttributes be «[ ]».

      8. If configuration["elements"] exists and configuration["elements"] contains elementName, then set elementWithLocalAttributes to configuration["elements"][elementName].

      9. For each attribute in child's attribute list:

        1. Let attrName be a SanitizerAttributeNamespace with attribute's local name and namespace.

        2. If elementWithLocalAttributes["removeAttributes"] exists and elementWithLocalAttributes["removeAttributes"] contains attrName, then remove attribute.

        3. Otherwise, if configuration["attributes"] exists:

          1. If configuration["attributes"] does not contain attrName and elementWithLocalAttributes["attributes"] with default « » does not contain attrName, and if "data-" is not a code unit prefix of attribute's local name or attribute's namespace is not null or configuration["dataAttributes"] is not true, then remove attribute.

        4. Otherwise:

          1. If elementWithLocalAttributes["attributes"] exists and elementWithLocalAttributes["attributes"] does not contain attrName, then remove attribute.

          2. Otherwise, if configuration["removeAttributes"] contains attrName, then remove attribute.

        5. If handleJavascriptNavigationUrls is true:

          1. If the pair (elementName, attrName) matches an entry in the built-in navigating URL attributes list, and if attribute contains a javascript: URL, then remove attribute.

          2. If child's namespace is the MathML Namespace, attribute's local name is "href", attribute's namespace is null or the XLink namespace, and attribute contains a javascript: URL, then remove attribute.

          3. If the built-in animating URL attributes list contains the pair (elementName, attrName), and attribute's value is "href" or "xlink:href", then remove attribute.

      10. Run the inner sanitize steps given child, configuration, and handleJavascriptNavigationUrls.

To determine whether an attribute attribute contains a javascript: URL:

  1. Let url be the result of running the basic URL parser on attribute's value.

  2. If url is failure, then return false.

  3. Return true if url's scheme is "javascript", and false otherwise.

To remove an element element from a SanitizerConfig configuration:

  1. Assert: configuration is valid.

  2. Set element to the result of canonicalizing element.

  3. Let modified be the result of removing element from configuration["replaceWithChildrenElements"].

  4. If configuration["elements"] exists:

    1. If configuration["elements"] contains element:

      1. Remove element from configuration["elements"].

      2. Return true.

    2. Return modified.

  5. Otherwise:

    1. If configuration["removeElements"] contains element, then return modified.

    2. Append element to configuration["removeElements"].

    3. Return true.

To remove an attribute attribute from a SanitizerConfig configuration:

  1. Assert: configuration is valid.

  2. Set attribute to the result of canonicalizing attribute.

  3. If configuration["attributes"] exists:

    1. Let modified be the result of removing attribute from configuration["attributes"].

    2. If configuration["elements"] exists:

      1. For each element of configuration["elements"]:

        1. If element["attributes"] with default « » contains attribute:

          1. Set modified to true.

          2. Remove attribute from element["attributes"].

        2. If element["removeAttributes"] with default « » contains attribute:

          1. Assert: modified is true.

          2. Remove attribute from element["removeAttributes"].

    3. Return modified.

  4. Otherwise:

    1. If configuration["removeAttributes"] contains attribute, then return false.

    2. If configuration["elements"] exists:

      1. For each element in configuration["elements"]:

        1. If element["attributes"] with default « » contains attribute, then remove attribute from element["attributes"].

        2. If element["removeAttributes"] with default « » contains attribute, then remove attribute from element["removeAttributes"].

    3. Append attribute to configuration["removeAttributes"].

    4. Return true.

To remove unsafe from a SanitizerConfig configuration:

  1. Assert: configuration is valid.

  2. Let result be false.

  3. For each element in built-in safe baseline configuration["removeElements"]:

    1. If removing element from configuration is true, then set result to true.

  4. For each attribute in built-in safe baseline configuration["removeAttributes"]:

    1. If removing attribute from configuration is true, then set result to true.

  5. For each attribute that is an event handler content attribute:

    1. If removing attribute from configuration is true, then set result to true.

  6. Return result.

To compare sanitizer items itemA and itemB:

  1. Let namespaceA be itemA["namespace"].

  2. Let namespaceB be itemB["namespace"].

  3. If namespaceA is null:

    1. If namespaceB is not null, then return true.

  4. Otherwise:

    1. If namespaceB is null, then return false.

    2. If namespaceA is code unit less than namespaceB, then return true.

    3. If namespaceA is not namespaceB, then return false.

  5. If itemA["name"] is code unit less than itemB["name"], then return true.

  6. falseを返す。

To canonicalize a SanitizerElementWithAttributes element:

  1. Let result be the result of canonicalizing element.

  2. If element is a dictionary:

    1. If element["attributes"] exists, then set result["attributes"] to the result of canonicalizing element["attributes"].

    2. If element["removeAttributes"] exists, then set result["removeAttributes"] to the result of canonicalizing element["removeAttributes"].

  3. If neither result["attributes"] nor result["removeAttributes"] exists, then set result["removeAttributes"] to an empty list.

  4. Return result.

To determine whether a canonical SanitizerConfig config is valid:

It's expected that the configuration being passed in has previously been run through the canonicalize the configuration steps. We will simply assert conditions that that algorithm is guaranteed to hold.

  1. Assert: config["elements"] exists or config["removeElements"] exists.

  2. If config["elements"] exists and config["removeElements"] exists, then return false.

  3. Assert: Either config["processingInstructions"] exists or config["removeProcessingInstructions"] exists.

  4. If config["processingInstructions"] exists and config["removeProcessingInstructions"] exists, then return false.

  5. Assert: Either config["attributes"] exists or config["removeAttributes"] exists.

  6. If config["attributes"] exists and config["removeAttributes"] exists, then return false.

  7. Assert: All SanitizerElementNamespaceWithAttributes, SanitizerElementNamespace, SanitizerProcessingInstruction, and SanitizerAttributeNamespace items in config are canonical, meaning they have been run through canonicalizing, as appropriate.

  8. If config["elements"] exists:

    1. If config["elements"] has duplicates, then return false.

  9. Otherwise:

    1. If config["removeElements"] has duplicates, then return false.

  10. If config["replaceWithChildrenElements"] exists and has duplicates, then return false.

  11. If config["processingInstructions"] exists:

    1. If config["processingInstructions"] has duplicates, then return false.

  12. Otherwise:

    1. If config["removeProcessingInstructions"] has duplicates, then return false.

  13. If config["attributes"] exists:

    1. If config["attributes"] has duplicates, then return false.

  14. Otherwise:

    1. If config["removeAttributes"] has duplicates, then return false.

  15. If config["replaceWithChildrenElements"] exists:

    1. For each element of config["replaceWithChildrenElements"]:

      1. If the built-in non-replaceable elements list contains element, then return false.

    2. If config["elements"] exists:

      1. If the intersection of config["elements"] and config["replaceWithChildrenElements"] is not empty, then return false.

    3. Otherwise:

      1. If the intersection of config["removeElements"] and config["replaceWithChildrenElements"] is not empty, then return false.

  16. If config["attributes"] exists:

    1. Assert: config["dataAttributes"] exists.

    2. If config["elements"] exists:

      1. For each element of config["elements"]:

        1. If element["attributes"] exists and element["attributes"] has duplicates, then return false.

        2. If element["removeAttributes"] exists and element["removeAttributes"] has duplicates, then return false.

        3. If the intersection of config["attributes"] and element["attributes"] with default « » is not empty, then return false.

        4. If element["removeAttributes"] with default « » is not a subset of config["attributes"], then return false.

        5. If config["dataAttributes"] is true and element["attributes"] contains a custom data attribute, then return false.

    3. If config["dataAttributes"] is true and config["attributes"] contains a custom data attribute, then return false.

  17. Otherwise:

    1. If config["elements"] exists:

      1. For each element of config["elements"]:

        1. If element["attributes"] exists and element["removeAttributes"] exists, then return false.

        2. If element["attributes"] exists and element["attributes"] has duplicates, then return false.

        3. If element["removeAttributes"] exists and element["removeAttributes"] has duplicates, then return false.

        4. If the intersection of config["removeAttributes"] and element["attributes"] with default « » is not empty, then return false.

        5. If the intersection of config["removeAttributes"] and element["removeAttributes"] with default « » is not empty, then return false.

    2. If config["dataAttributes"] exists, then return false.

  18. Return true.

8.6.5 Sanitization constants

An element's sanitization category can be one of the following:

Default
The element is included in the default SanitizerConfig.
Unsafe
The element can result in XSS. (Such elements are preserved by setHTMLUnsafe() or parseHTMLUnsafe(), and removed by setHTML(), parseHTML(), and removeUnsafe().)
Uncategorized
The element is neither removed nor included by default, but can still be added to a SanitizerConfig.

The built-in safe baseline configuration is a SanitizerConfig. Its removeElements list consists of all HTML elements normatively marked as Unsafe within their individual definitions, along with the obsolete frame element, and the SVG script and SVG use elements, and its removeAttributes list is empty.

Event handler content attributes are automatically removed by the remove unsafe algorithm during safe sanitization, so the effective baseline behaves as if they were included in the removeAttributes list.

The built-in safe default configuration is a SanitizerConfig whose members are initialized as follows:

processingInstructions
« »
attributes
A list consisting of:
comments
false
dataAttributes
false
elements
All HTML elements normatively categorized as Default within their individual definitions, alongside the MathML and SVG elements listed in the table below. Attributes included in those definitions are included in each element's respective attributes list.

The following table lists the MathML and SVG elements that are categorized as Default in the built-in safe default configuration, represented as a list of SanitizerElementNamespaceWithAttributes dictionaries. For each row in the table, the "Element" column corresponds to the name member, the "Namespace" column corresponds to the namespace member, and the "Allowed attributes" column corresponds to the attributes member (where each listed attribute is represented as a SanitizerAttribute in the sequence):

要素名前空間Allowed attributes
mathMathML
merrorMathML
mfracMathML
miMathML
mmultiscriptsMathML
mnMathML
moMathMLfence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric
moverMathMLaccent
mpaddedMathMLdepth, height, lspace, voffset, width
mphantomMathML
mprescriptsMathML
mrootMathML
mrowMathML
msMathML
mspaceMathMLdepth, height, width
msqrtMathML
mstyleMathML
msubMathML
msubsupMathML
msupMathML
mtableMathML
mtdMathMLcolumnspan, rowspan
mtextMathML
mtrMathML
munderMathMLaccentunder
munderoverMathMLaccent, accentunder
semanticsMathML
aSVGhref, hreflang, type
circleSVGcx, cy, pathLength, r
defsSVG
descSVG
ellipseSVGcx, cy, pathLength, rx, ry
foreignObjectSVGheight, width, x, y
gSVG
lineSVGpathLength, x1, x2, y1, y2
markerSVGmarkerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox
metadataSVG
パスSVGd, pathLength
polygonSVGpathLength, points
polylineSVGpathLength, points
rectSVGheight, pathLength, rx, ry, width, x, y
svgSVGheight, preserveAspectRatio, viewBox, width, x, y
textSVGdx, dy, lengthAdjust, rotate, textLength, x, y
textPathSVGlengthAdjust, method, path, side, spacing, startOffset, textLength
titleSVG
tspanSVGdx, dy, lengthAdjust, rotate, textLength, x, y

The built-in navigating URL attributes list corresponds to all HTML elements marked with navigating URL attributes in their normative definitions, as well as the element-attribute pairs represented in the following table. For each row in the table, the element corresponds to a SanitizerElementNamespace whose name member is given by the "Element" column and whose namespace member is given by the "Element namespace" column; and the attribute corresponds to a SanitizerAttributeNamespace whose name member is given by the "Attribute" column and whose namespace member is given by the "Attribute namespace" column:

要素Element namespace属性Attribute namespace
aSVGhrefno namespace
aSVGhrefXLink

The built-in animating URL attributes list is the list of element-attribute pairs represented by the following table. For each row in the table, the element corresponds to a SanitizerElementNamespace whose name member is given by the "Element" column and whose namespace member is given by the "Element namespace" column; and the attribute corresponds to a SanitizerAttributeNamespace whose name member is given by the "Attribute" column and whose namespace member is null:

要素Element namespace属性
animateSVGattributeName
animateTransformSVGattributeName
設定するSVGattributeName

The built-in non-replaceable elements list contains elements that must not be replaced with their children, as doing so can lead to re-parsing issues or an invalid node tree. It is the following list of SanitizerElementNamespace dictionaries, represented by the table below. For each row in the table, the "Element" column corresponds to the name member, and the "Element namespace" column corresponds to the namespace member:

要素Element namespace
htmlHTML
svgSVG
mathMathML

8.6.6 Security considerations

この節は非規範的である。

The Sanitizer API is intended to prevent DOM-based cross-site scripting by traversing supplied HTML content and removing elements and attributes according to a configuration. By design, the setHTML() and parseHTML() methods remove script-capable markup regardless of the configuration supplied; if any configuration could preserve such markup through these methods, that would be a bug.

However, there are security issues that the Sanitizer API cannot prevent. The following sections describe them.

8.6.6.1 Server-side reflected and stored XSS

この節は非規範的である。

The Sanitizer API operates solely in the DOM and adds a capability to traverse and filter an existing DocumentFragment. The Sanitizer API does not address server-side reflected or stored XSS.

8.6.6.2 DOM clobbering

この節は非規範的である。

DOM clobbering describes an attack in which malicious HTML confuses an application by using id or name attributes such that DOM properties, such as the children property of an HTML element, are shadowed by malicious content.

The Sanitizer API does not protect against DOM clobbering attacks by default, but can be configured to remove id and name attributes.

8.6.6.3 XSS with script gadgets

この節は非規範的である。

Script gadgets are a technique in which an attacker uses existing application code from popular JavaScript libraries to cause their own code to execute. This is often done by injecting innocent-looking code or seemingly inert DOM nodes that are only parsed and interpreted by a framework which then performs the execution of JavaScript based on that input.

The Sanitizer API cannot prevent these attacks. Instead, it relies on authors to explicitly allow unknown elements in general, and additionally to explicitly allow attributes, elements, and markup commonly used for templating and framework-specific code, such as data-* and slot attributes and elements like slot and template. These restrictions are not exhaustive and authors are encouraged to examine their third party libraries for this behavior.

8.6.6.4 Mutation XSS

この節は非規範的である。

Mutation XSS or mXSS describes an attack that exploits cases where the parsed DOM structure is not the same after serializing and parsing again, to bypass sanitization that happens before serialization. An example for carrying out such an attack is by relying on the change of parsing behavior for foreign content or mis-nested tags.

The Sanitizer API offers only functions that turn a string into a node tree. The context is supplied implicitly by all sanitizer functions: setHTML() uses the current element; Document.parseHTML() creates a new document. Therefore Sanitizer API is not directly affected by mutation XSS.

If a developer were to retrieve a sanitized node tree as a string, e.g. via innerHTML, and to then parse it again then mutation XSS can occur. This practice is strongly discouraged. If processing or passing of HTML as a string is necessary after all, then any string is to be considered untrusted and re-sanitized when inserted into the DOM. In other words, a sanitized and then serialized HTML tree can no longer be considered sanitized. A more complete treatment of mXSS can be found in [MXSS].