Published: 29 June 2022 at 14:00 UTC
Updated: 04 July 2022 at 07:46 UTC
The advantages of using a native browser feature are obvious; if the browser is used to filter HTML then it can use its own parsers to ensure the untrusted HTML is filtered consistently.
Here's the result of the untrusted HTML being filtered incorrectly by the Sanitizer:
<svg><use href="//portswigger-labs.net/use_element/upload.php#x" />
Browser APIs for sanitizing HTML are a good idea as the browser is in a better position to filter the HTML correctly however this doesn't mean they are a foolproof mechanism to prevent malicious HTML from sneaking past. As with any filter, a feature like this requires a large amount of testing to ensure correct filtering of malicious HTML.
Please note this is an experimental API and isn't widely supported yet.
2022-02-25 09:42 PST - Reported bug to Mozilla
2022-04-29 15:03 PDT - Fixed
2022-06-28 - Firefox 102.0 released
2022-06-29 15:00 PM GMT - Published this post