Google, Mozilla, and security firm Cure53 have come together to develop an application programming interface (API) that provides a systematic solution to HTML sanitization which will prevent XSS attacks without the need for third-party libraries.
Preventing XSS attacks
Web applications are often required to handle dynamic HTML content in the browser, such as when rendering user-generated content or dealing with templates.
Client-side HTML processing often causes security holes and malicious actors use them to stage XSS attacks and steal user information or send web commands on users. XSS issues occurred due to java script inception getting added to attacker toolbox
Content-Security Policy (CSP), a set of HTTP header directives that help mitigate XSS attacks by putting restrictions on how web pages handle different types of content. But CSP has not gained the traction its creators hoped.
To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.The new HTML Sanitizer API has been developed by Google, Mozilla, and the wider security community
Native HTML sanitization
The HTML Sanitizer API bakes XSS mitigation functionality directly into the browser. Developers can instantiate and use the API’s sanitizer class without the need to import external libraries.
Browsers already have baked-in sanitizers for clipboard data, Just use the built-in sanitizer; you don’t need to include any external libraries!’
Testing the API
The HTML Sanitizer API will not prevent mutated XSS attacks and attacks that exploit server-side vulnerabilities. With extra configuration, however, it can prevent DOM clobbering and XSS attacks based on script gadgets.
An experimental implementation of the API has been integrated into Firefox Nightly and Chrome Canary, the test versions of the browsers. A test page for the API is also available online.