You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: files/en-us/web/api/sanitizerconfig/index.md
+18-8Lines changed: 18 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,7 +86,8 @@ Note that normally {{domxref("Sanitizer")}} instances are used instead of `Sanit
86
86
-`comments`
87
87
- : `true` if comments are allowed, and `false` if they are to be removed.
88
88
-`dataAttributes`
89
-
- : `true` if `data-*` attributes are allowed, and `false` if they are to be removed.
89
+
- : `true` if all `data-*` attributes will be allowed (in which case `data-*` attributes must not be listed in the `attributes` array).
90
+
If `false`, any `data-*` attributes to be allowed must be listed in the `attributes` array.
90
91
91
92
## Description
92
93
@@ -108,14 +109,23 @@ In a valid sanitizer configuration:
108
109
109
110
- Either the `elements` or `removeElements` array may be defined, but not both
110
111
- Either the `attributes` or `removeAttributes` array may be defined, but not both
111
-
- Within an element, either the `attributes` or `removeAttributes` array may be defined, but not both
112
-
- No array may contain duplicate elements or attributes
113
112
- The `replaceWithChildrenElements` array, if defined, may not have any elements in common with `elements` or `removeElements`
114
-
- A global attribute, defined in `attributes`, may not also be defined in an element's `attribute` or `removeAttribute` list.
115
-
- Custom `data-*` attributes may only be specified within element attribute arrays: not in the global `attributes` array, and only if `dataAttributes` is `true`.
116
-
117
-
Note that while the empty object `{}` is not technically a valid configuration it can be normalized to one.
118
-
Passing the empty object will not throw a `TypeError`.
113
+
- No array may contain duplicate elements or attributes
114
+
- If the global `attributes` array is defined:
115
+
- An element may define any or none of `attributes` and `removeAttributes`
116
+
- An element's `attributes` must not share any values in common with the global `attributes` array
117
+
- An element's `removeAttributes` array may only contain values that are also present in the global `attributes` array.
118
+
- If `dataAttributes` is `true` the global and element attribute arrays must not contain `data-*` attributes (since these will automatically be allowed).
119
+
- If the global `removeAttributes` array is defined:
120
+
- An element may specify either `attributes` or `removeAttributes`, but not both
121
+
- An element's `attributes` or `removeAttributes` array, depending on which (if either) is defined, must not share any values in common with the global `removeAttributes` array.
122
+
- The global `dataAttributes` array must not be defined.
123
+
124
+
The empty object `{}` is a valid configuration.
125
+
126
+
> [!NOTE]
127
+
> The conditions above are from the perspective of a web developer.
128
+
> The [validity check defined in the specification](https://wicg.github.io/sanitizer-api/#sanitizerconfig-valid) is slightly different because it is executed after canonicalization of the configuration, such as adding `removeElements` when both are missing, and adding default namespaces.
0 commit comments