Lower case sanitizer in Default sanitizer configuration

hamishwillee · hamishwillee · commit 3143eda3ee59 · 2026-03-13T11:42:21.000+11:00
diff --git a/files/en-us/web/api/document/parsehtml_static/index.md b/files/en-us/web/api/document/parsehtml_static/index.md
@@ -26,7 +26,7 @@ Document.parseHTML(input, options)
 - `options` {{optional_inline}}
   - : An options object with the following optional parameters:
     - `sanitizer`
-      - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed, or the string `"default"` for the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+      - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed, or the string `"default"` for the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
         The method will remove any XSS-unsafe elements and attributes, even if allowed by the sanitizer.
         If not specified, the default `Sanitizer` configuration is used.
 
@@ -50,7 +50,7 @@ A {{domxref("Document")}}.
 The **`parseHTML()`** method parses and sanitize a string of HTML in order to create a new {{domxref("Document")}} instance that is XSS-safe.
 The resulting `Document` will have a [content type](/en-US/docs/Web/API/Document/contentType) of "text/html", a [character set](/en-US/docs/Web/API/Document/characterSet) of UTF-8, and a URL of "about:blank".
 
-If no sanitizer is specified in the `options.sanitizer` parameter, `parseHTML()` is used with the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+If no sanitizer is specified in the `options.sanitizer` parameter, `parseHTML()` is used with the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
 This configuration is suitable for the majority of use cases as it prevents XSS attacks, as well as other attacks like clickjacking or spoofing.
 
 A custom `Sanitizer` or `SanitizerConfig` can be specified to choose which elements, attributes, and comments are allowed or removed.
diff --git a/files/en-us/web/api/document/parsehtmlunsafe_static/index.md b/files/en-us/web/api/document/parsehtmlunsafe_static/index.md
@@ -35,7 +35,7 @@ Document.parseHTMLUnsafe(input, options)
   - : An options object with the following optional parameters:
     - `sanitizer` {{optional_inline}}
       - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed.
-        This can also be a string with the value `"default"`, which applies a `Sanitizer` with the (XSS-safe) [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+        This can also be a string with the value `"default"`, which applies a `Sanitizer` with the (XSS-safe) [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
         If not specified, no sanitizer is used.
 
         Note that generally a `Sanitizer` is expected than the to be more efficient than a `SanitizerConfig` if the configuration is to reused.
@@ -78,7 +78,7 @@ This ensures that the input is passed through a transformation function, which h
 Using `TrustedHTML` makes it possible to audit and check that sanitization code is effective in just a few places, rather than scattered across all your injection sinks.
 You should not need to pass a sanitizer to the method when using `TrustedHTML`.
 
-If for any reason you can't use `TrustedHTML` (or even better, `setHTML()`) then the next safest option is to use `setHTMLUnsafe()` with the XSS-safe [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+If for any reason you can't use `TrustedHTML` (or even better, `setHTML()`) then the next safest option is to use `setHTMLUnsafe()` with the XSS-safe [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
 
 ## Specifications
 
diff --git a/files/en-us/web/api/element/sethtml/index.md b/files/en-us/web/api/element/sethtml/index.md
@@ -31,7 +31,7 @@ setHTML(input, options)
     - `sanitizer`
       - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed, or the string `"default"` for the default configuration.
         The method will remove any XSS-unsafe elements and attributes, even if allowed by the sanitizer.
-        If not specified, the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is used.
+        If not specified, the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is used.
 
         Note that if you're using the same configuration multiple times, it's expected to be more efficient to use a `Santitizer` and modify it when you need to.
 
@@ -55,7 +55,7 @@ The **`setHTML()`** method provides an XSS-safe method to parse and sanitize a s
 `setHTML()` drops any elements in the HTML input string that are invalid in the context of the current element, such as a {{htmlelement("col")}} element outside of a {{htmlelement("table")}}.
 It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer.
 
-If no sanitizer is specified in the `options.sanitizer` parameter, `setHTML()` is used with the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+If no sanitizer is specified in the `options.sanitizer` parameter, `setHTML()` is used with the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
 This configuration is suitable for the majority of use cases as it prevents XSS attacks, as well as other attacks like clickjacking or spoofing.
 
 A custom `Sanitizer` or `SanitizerConfig` can be specified to choose which elements, attributes, and comments are allowed or removed.
diff --git a/files/en-us/web/api/element/sethtmlunsafe/index.md b/files/en-us/web/api/element/sethtmlunsafe/index.md
@@ -35,7 +35,7 @@ setHTMLUnsafe(input, options)
   - : An options object with the following optional parameters:
     - `sanitizer` {{optional_inline}}
       - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object that defines what elements of the input will be allowed or removed.
-        This can also be a string with the value `"default"`, which applies a `Sanitizer` with the (XSS-safe) [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+        This can also be a string with the value `"default"`, which applies a `Sanitizer` with the (XSS-safe) [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
         If not specified, no sanitizer is used.
 
         Note that if you're using the same configuration multiple times, it's expected to be more efficient to use a `Santitizer` and modify it when you need to.
@@ -79,7 +79,7 @@ This ensures that the input is passed through a transformation function, which h
 Using `TrustedHTML` makes it possible to audit and check that sanitization code is effective in just a few places, rather than scattered across all your injection sinks.
 You should not have to pass a sanitizer to the method when using `TrustedHTML`.
 
-If for any reason you can't use `TrustedHTML` (or even better, `setHTML()`) then the next safest option is to use `setHTMLUnsafe()` with the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+If for any reason you can't use `TrustedHTML` (or even better, `setHTML()`) then the next safest option is to use `setHTMLUnsafe()` with the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
 
 ### When should `setHTMLUnsafe()` be used?
 
diff --git a/files/en-us/web/api/html_sanitizer_api/default_sanitizer_configuration/index.md b/files/en-us/web/api/html_sanitizer_api/default_sanitizer_configuration/index.md
@@ -1,13 +1,13 @@
 ---
-title: Default Sanitizer configuration
+title: Default sanitizer configuration
 slug: Web/API/HTML_Sanitizer_API/Default_sanitizer_configuration
 page-type: guide
 ---
 
 {{DefaultAPISidebar("HTML Sanitizer API")}}
 
-The default sanitizer configuration defines the {{domxref("Sanitizer")}} that is used by default if you call the [safe sanitization methods](/en-US/docs/Web/API/HTML_Sanitizer_API#sanitization_methods), such as {{domxref("Element.setHTML()")}}, {{domxref("ShadowRoot.setHTML()")}}, and {{domxref("Document.parseHTML_static","Document.parseHTML()")}}, without specifying a custom sanitizer.
-It is also the default configuration returned by the [`Sanitizer()` constructor](/en-US/docs/Web/API/Sanitizer/Sanitizer) if no `configuration` is passed as an argument.
+The default sanitizer configuration defines the configuration returned by the [`Sanitizer()` constructor](/en-US/docs/Web/API/Sanitizer/Sanitizer) if no `configuration` is passed as an argument.
+This same configuration is implicitly used if you call the [safe sanitization methods](/en-US/docs/Web/API/HTML_Sanitizer_API#sanitization_methods), such as {{domxref("Element.setHTML()")}}, {{domxref("ShadowRoot.setHTML()")}}, and {{domxref("Document.parseHTML_static","Document.parseHTML()")}}, without specifying a custom sanitizer.
 
 This configuration removes the following sorts of items:
 
@@ -20,9 +20,11 @@ This configuration removes the following sorts of items:
 It therefore provides a sanitizer with a minimal attack surface, which is still suitable for the majority of sanitization use cases.
 
 > [!NOTE]
-> The specification calls this configuration the [built-in safe default configuration](https://wicg.github.io/sanitizer-api/#built-in-safe-default-configuration).
+> Calling {{domxref("Sanitizer.removeUnsafe()")}}, or passing a custom sanitizer to the safe sanitization method, only removes the XSS-unsafe items.
+> It does not remove the additional items, comments, and `data-*` attributes.
 
-The following sections list all the elements, with a &check; mark indicating those that are allowed by the default configuration, and also listing the attributes that are allowed only for particular elements.
+The following sections list all the elements, with a &check; mark indicating those that are _allowed_ by the default configuration (the ❌ therefore indicates those that will be removed).
+The "Additional allowed attributes" column lists the attributes that are allowed for the corresponding elements; any other attributes on the element would be removed (unless allowed by the global attributes).
 The [Global attributes](#global_attributes) section lists the attributes that are allowed on all elements (the attributes that are not removed when the configuration is used).
 
 ## HTML elements
diff --git a/files/en-us/web/api/html_sanitizer_api/index.md b/files/en-us/web/api/html_sanitizer_api/index.md
@@ -32,7 +32,7 @@ The sanitizer objects defines the HTML entities that will be filtered out of the
 The {{domxref('Element')}} methods are context aware, and will additionally drop any elements that the HTML specification does not allow in the target element.
 
 The safe methods always remove XSS-unsafe elements and attributes.
-If no sanitizer is passed as a parameter they will use the [default `Sanitizer` configuration](#default_sanitizer_configuration), which removes both XSS-unsafe elements and attributes, such as {{htmlelement("script")}} elements and `onclick` event handlers, along with others that might be be used in other kinds of attacks if provided as user input.
+If no sanitizer is passed as a parameter they will use the [default sanitizer configuration](#default_sanitizer_configuration), which removes both XSS-unsafe elements and attributes, such as {{htmlelement("script")}} elements and `onclick` event handlers, along with others that might be be used in other kinds of attacks if provided as user input.
 If a custom sanitizer is used with a safe method, it is implicitly updated to remove any elements and attributes that are not XSS-safe (note that the passed sanitizer is not modified, and might still allow unsafe entities if used with an unsafe method).
 
 The safe methods should be used instead of {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, or {{domxref("ShadowRoot.innerHTML")}}, for injecting untrusted HTML content.
@@ -193,9 +193,9 @@ So if you call `allowElement()` on an allow configuration and the specified elem
 But if the element is already present then the method would return `false`.
 Note that if you call the same method to set a per-element attribute, this will return `false` if called on a remove sanitizer, because the change cannot be made.
 
-#### Default `Sanitizer` configuration
+#### Default sanitizer configuration
 
-The default `Sanitizer` configuration defines the {{domxref("Sanitizer")}} that is used if you call {{domxref("Element.setHTML()")}} or the other [safe sanitization methods](/en-US/docs/Web/API/HTML_Sanitizer_API#sanitization_methods) without a custom sanitizer.
+The default sanitizer configuration defines the sanitizer that is used if you call {{domxref("Element.setHTML()")}} or the other [safe sanitization methods](/en-US/docs/Web/API/HTML_Sanitizer_API#sanitization_methods) without passing a sanitizer object.
 It is also the configuration that is returned by the [`Sanitizer()` constructor](/en-US/docs/Web/API/Sanitizer/Sanitizer) when no configuration is set.
 
 This configuration removes the following sorts of items:
@@ -209,7 +209,7 @@ It therefore provides a sanitizer with a minimal attack surface, which is still
 Note that if you specify a _custom_ sanitizer that allows XSS-unsafe items to a safe sanitization method, these items will still be removed from the input.
 However, the safe sanitization methods do not automatically remove the additional items, comments, and `data-*` attributes, that would be removed by the default configuration.
 
-For a listing of the allowed elements and attributes, see [Default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API/Default_sanitizer_configuration).
+For a listing of the allowed elements and attributes, see [Default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API/Default_sanitizer_configuration).
 
 ### Sanitization and Trusted Types
 
diff --git a/files/en-us/web/api/sanitizer/get/index.md b/files/en-us/web/api/sanitizer/get/index.md
@@ -140,7 +140,7 @@ log(JSON.stringify(defaultConfig, null, 2));
 
 #### Results
 
-The [default `Sanitizer` configuration](/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is logged below.
+The [default sanitizer configuration](/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is logged below.
 Note that the default configuration is quite big, allowing many elements and attributes.
 
 {{EmbedLiveSample("Getting the default sanitizer","100","480px")}}
diff --git a/files/en-us/web/api/sanitizer/index.md b/files/en-us/web/api/sanitizer/index.md
@@ -44,7 +44,7 @@ It can be used with the following [sanitization methods](/en-US/docs/Web/API/HTM
 - Unsafe methods: {{domxref("Element.setHTMLUnsafe()")}}, {{domxref("ShadowRoot.setHTMLUnsafe()")}}, and [`Document.parseHTMLUnsafe()`](/en-US/docs/Web/API/Document/parseHTMLUnsafe_static).
 
 A `Sanitizer` instance can be constructed from a {{domxref("SanitizerConfig")}}, and is effectively a wrapper around that object. A `Sanitizer` and a `SanitizerConfig` can be used with the same methods, but if you're using the same configuration multiple times, it's expected to be more efficient to use a `Santitizer` and modify it when you need to.
-If no `SanitizerConfig` is passed to the constructor, the sanitizer is created with the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration), which removes XSS-unsafe elements and attributes, along with other elements and attributes that can potentially be used in other attacks, such as clickjacking and spoofing.
+If no `SanitizerConfig` is passed to the constructor, the sanitizer is created with the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration), which removes XSS-unsafe elements and attributes, along with other elements and attributes that can potentially be used in other attacks, such as clickjacking and spoofing.
 
 Note that any `Sanitizer` can be made XSS-safe by calling {{domxref("Sanitizer.removeUnsafe()")}}, but other potentially dangerous elements and attributes — which are removed by the default configuration — may still be present.
 
diff --git a/files/en-us/web/api/sanitizer/sanitizer/index.md b/files/en-us/web/api/sanitizer/sanitizer/index.md
@@ -20,7 +20,7 @@ new Sanitizer(configuration)
 ### Parameters
 
 - `configuration` {{optional_inline}}
-  - : A {{domxref("SanitizerConfig")}} defining a [valid configuration](/en-US/docs/Web/API/SanitizerConfig#valid_configuration), or the string `"default"` to indicate the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+  - : A {{domxref("SanitizerConfig")}} defining a [valid configuration](/en-US/docs/Web/API/SanitizerConfig#valid_configuration), or the string `"default"` to indicate the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
     The "empty configuration" (`{}`) can also be passed, and results in a [remove configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#remove_configurations) with empty arrays.
 
     If omitted, the constructor returns a `Sanitizer` with the default configuration.
@@ -41,7 +41,7 @@ An instance of the {{domxref("Sanitizer")}} object.
 
 The constructor creates a new {{domxref("Sanitizer")}} object, which can be used to filter unwanted elements and attributes from HTML or documents before they are inserted/parsed into the DOM.
 
-The [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is an [allow sanitizer](/en-US/docs/Web/API/HTML_Sanitizer_API#allow_configurations) that omits XSS-unsafe elements and attributes, along with other elements and attributes that can potentially be used in other attacks, such as clickjacking and spoofing.
+The [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration) is an [allow sanitizer](/en-US/docs/Web/API/HTML_Sanitizer_API#allow_configurations) that omits XSS-unsafe elements and attributes, along with other elements and attributes that can potentially be used in other attacks, such as clickjacking and spoofing.
 This configuration is suitable for the majority of sanitization use cases.
 It is created if `"default"` or no object is passed to the constructor.
 
diff --git a/files/en-us/web/api/shadowroot/sethtml/index.md b/files/en-us/web/api/shadowroot/sethtml/index.md
@@ -31,7 +31,7 @@ setHTML(input, options)
 - `options` {{optional_inline}}
   - : An options object with the following optional parameters:
     - `sanitizer`
-      - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed, or the string `"default"` for the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+      - : A {{domxref("Sanitizer")}} or {{domxref("SanitizerConfig")}} object which defines what elements of the input will be allowed or removed, or the string `"default"` for the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
         The method will remove any XSS-unsafe elements and attributes, even if allowed by the sanitizer.
         If not specified, the default `Sanitizer` configuration is used.
 
@@ -56,7 +56,7 @@ The **`setHTML()`** method provides an XSS-safe method to parse and sanitize a s
 
 `setHTML()` removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.
 
-If no sanitizer is specified in the `options.sanitizer` parameter, `setHTML()` is used with the [default `Sanitizer` configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
+If no sanitizer is specified in the `options.sanitizer` parameter, `setHTML()` is used with the [default sanitizer configuration](/en-US/docs/Web/API/HTML_Sanitizer_API#default_sanitizer_configuration).
 This configuration is suitable for the majority of use cases as it prevents XSS attacks, as well as other attacks like clickjacking or spoofing.
 
 A custom `Sanitizer` or `SanitizerConfig` can be specified to choose which elements, attributes, and comments are allowed or removed.
diff --git a/files/en-us/web/api/shadowroot/sethtmlunsafe/index.md b/files/en-us/web/api/shadowroot/sethtmlunsafe/index.md
