The web Sanitizer API is still in flux. But maybe it’s worth considering whether it’s within scope of WinterTC early on.
- Server-side rendering (SSR) is becoming increasingly common.
- DOMPurify is widely deployed on Node and probably other JavaScript server runtimes.
Of course, the Sanitizer API is strongly coupled to DOM node objects; its current design extends Element and Document.
- But, while the spec is still in flux, it may be worth investigating whether WinterTC should provide input to the Sanitizer API WICG on any string-to-string transformations. Such a string-to-string sanitization API may still be useful in webpages and would definitely be useful in JavaScript server runtimes (or service workers in browsers).
- Alternatively, a very limited subset of the DOM could also be standardized by WinterTC, à la jsdom and happy-dom, and the Santizer API for servers would sit on that DOM subset. This would be a much bigger undertaking, but it could pay off.
The web Sanitizer API is still in flux. But maybe it’s worth considering whether it’s within scope of WinterTC early on.
Of course, the Sanitizer API is strongly coupled to DOM node objects; its current design extends Element and Document.