ShopTalk 704: Sanitizer API with Frederik Braun
Mar 2, 2026
Frederik Braun, a Mozilla Firefox security engineer and manager who helped build the Sanitizer API, explains how the API safely inserts untrusted HTML and handles malformed markup. He compares browser-native sanitization to libraries like DOMPurify, discusses setHTML vs setHTMLUnsafe, parsing consistency across browsers, custom elements and attributes, CSP/Trusted Types interplay, and migration strategies.
AI Snips
Chapters
Transcript
Episode notes
Sanitize At Ingest And Again In The Browser
- Sanitize both on intake and on rendering: clean input server-side if it makes sense, but also sanitize in the browser to match the user's actual parser.
- Treat frontend setHTML as a belt-and-suspenders layer because browsers differ and backend sanitizers get outdated.
Allowlist Configuration Lets You Tailor Sanitization
- The sanitizer uses an allowlist model so you can pick exactly which elements and attributes are permitted for your use case.
- You can allow only needed tags like p, a, strong, lists or explicitly allow custom elements like dave-card by naming them.
Tweak The Safe Default Instead Of Rebuilding It
- Use removeElements or builder-style methods to start from the safe default and make minimal changes instead of crafting a full custom whitelist.
- Replace elements with children for links or remove specific tags to preserve plaintext while stripping markup.