Should calling saneStringFrom be caught by Trusted Types?

[shhnjk]

Currently, triggering any HTML parser using DOM API makes Trusted Types angry, and Trusted Types requires sites to parse TrustedHTML.

Will saneStringFrom have same thing? Or will it never cause TT violation?

CC: @koto

[otherdaniel]

Thanks for the feedback.

I think of the HTML parser as an implementation detail. I think a string -> string sanitation should not trigger TT.
string -> DOMFragment should however be considered a TT sink.

Generally, the TT/sanitizer interaction is a bit unclear to me, but my thinking is that maybe we should keep the sanitizer oblivious to Trusted Types, and instead extend Trusted Types so that you can directly put a sanitizer config into a TT policy.

E.g., something like
let policy = trustedTypes.createPolicy("bla", { createHTML: { 'allow': ['b', 'em'], 'block': ['blabla'] } });
would do much the same thing as:

let tmp = new Sanitizer({ 'allow': ['b', 'em'], 'block': ['blabla'] });
let policy = trustedTypes.createPolicy("bla", { createHTML: s => tmp.saneStringFrom(s) });

That way, TT policy creation and policy instances would remain the central controlling element for TT, but it'd still be very easy to combine TT with sanitizers.

Related discussion here: WICG/sanitizer-api#20

[koto]

Correct. The exact API shape tbd. For example, we might allow the sanitizer instance be passed in the policy options:

trustedTypes.createPolicy('default', { htmlSanitizer: new Sanitizer(params) });