Skip to content

Create "dynamic markup" explainer #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
noamr merged 6 commits into from
Dec 18, 2025
Merged

Create "dynamic markup" explainer #76

noamr merged 6 commits into from
Dec 18, 2025

Conversation

@noamr
Copy link
Collaborator

@noamr noamr commented Dec 18, 2025

This document provides an overview of the revamped dynamic markup methods for HTML injection, detailing API design, script execution, sanitizer integration, and security considerations.

@noamr
Create "dynamic markup" explainer
8addfee 
This document provides an overview of the revamped dynamic markup methods for HTML injection, detailing API design, script execution, sanitizer integration, and security considerations.
@noamr noamr requested a review from foolip December 18, 2025 12:28
foolip
foolip approved these changes Dec 18, 2025
View reviewed changes
dynamic-markup-revamped-explainer.md

```webidl
interface TrustedTypePolicy {
TrustedHTMLParserOptions createHTMLParserOptions((SetHTMLOptions or SetHTMLUnsafeOptions) options = {});
Copy link
Member

@foolip foolip Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think WebIDL doesn't allow a union of SetHTMLOptions and SetHTMLUnsafeOptions because they cannot be distinguished. If we want the result to not require further checking when passed to setHTML(), maybe add a createHTMLParserOptionsUnsafe() here with a different return type?

Copy link
Collaborator Author

@noamr noamr Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that's necessary. The resulting object can be the same type, and the Safe variant can ignore runScripts and assert a safe baseline.

dynamic-markup-revamped-explainer.md Outdated

## Existing methods

Apart from the `createContextualFragment` quirk, all of the existing APIs can be expressed in terms of the above APIs,
Copy link
Member

@foolip foolip Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about allowing declarative shadow roots? Should that be an opt-in in the new APIs to match the existing ones?

Copy link
Collaborator Author

@noamr noamr Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a section about this.

noamr and others added 5 commits December 18, 2025 16:01
@noamr noamr merged commit cf3b548 into main Dec 18, 2025
2 checks passed
github-actions bot added a commit that referenced this pull request Dec 18, 2025
@noamr @github-actions
Merge pull request #76 from WICG/noamr-patch-5
6100bee 
SHA: cf3b548
Reason: push, by noamr

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@foolip foolip foolip approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@noamr @foolip