Luke Warlow
Luke Warlow
This has been done inside of the WebKit implementation and the PRs upstreaming it have this baked in. If we wanted to revisit this it would require tc39 changes aswell...
Based on discussions at the web engines hackfest, @nicolo-ribaudo it might be useful if you could find the historical push back against being able to change the value. I know...
Should the policy be given the raw value instead of coercing to a string? At least taking nullable strings would help with this issue? cc @koto @mbrodesser-Igalia
Just to note a thought I had, if / when we spec fromLiteral again, I think we should make it opt-in rather than it always being allowed. I propose a...
If we imagine a future with the sanitizer API, I personally think it's valuable to have a way to completely disable the legacy sinks. I know it's not directly part...
> What do you mean by a legacy sink? Sorry yeah to clarify by legacy sink I mean something like innerHTML as opposed to setHTML. > Cause we're also adding...
what Brian means is that the default policy assignment could be a no-op. So the sinks still don't work and report but they don't throw. Currently this isn't possible. Would...
Does this issue need to remain open? Idk if there's anything actionable from it?
See https://github.com/w3c/trusted-types/issues/403 for one missing sink (it's quite new)
I found it by chance I happened to be losely following the sanitizer API work and remembered the unsafe variants were merged into the HTML spec recently for DSD parsing...