概述Sanitizer API 提供原生的 HTML 清理能力,按允许列表移除危险元素与属性(如脚本事件),用于防止 XSS。可与 Trusted Types 协同,将不可信字符串转换为安全的 `TrustedHTML` 并在受控点插入。示例const sanitizer = new Sanitizer({ allowedElements: ['b','i','strong','em','a'], allowedAttributes: { 'a': ['href'] } })
const unsafe = '<img src=x onerror=alert(1)><a href="https://example.com">link</a>'
const safeFragment = sanitizer.sanitize(unsafe)
document.getElementById('content').append(safeFragment)
与 Trusted Types 协同(示意)// 在启用 Trusted Types 的站点中,仅接受 TrustedHTML
// 通过 Sanitizer 生成安全片段,再转为字符串用于必要场景
const fragment = sanitizer.sanitize(unsafe)
const div = document.createElement('div'); div.append(fragment)
const trusted = trustedTypes.createPolicy('default', { createHTML: s => s }).createHTML(div.innerHTML)
target.innerHTML = trusted
工程建议允许列表:按业务定义最小集合;默认拒绝危险元素与事件属性。上下文安全:避免在敏感容器中插入未经清理的 HTML;配合 CSP 与 Trusted Types。兼容与回退:在不支持浏览器使用成熟库(如 DOMPurify)并保持策略一致。参考与验证MDN Sanitizer API(实验性)文档:https://developer.mozilla.org/docs/Web/API/SanitizerChrome 平台说明:https://developer.chrome.com/docs/web-platform/sanitizer/web.dev XSS 与策略指南:https://web.dev/secure/
发表评论 取消回复