Staff Security Engineer at Mozilla
Making of: the Sanitizer API
Cross-Site Scripting (XSS) is still the most common security issue on the web and yet there is no easy way for developers to deal with malicious HTML input. This talk will present the upcoming Sanitizer API: A built-in browser API that guarantees to always produce harmless HTML output.
The talk will provide the necessary background on XSS and where previous solutions failed. With this background, we will also take a look at HTML parsing and where ambiguities can lead to additional security issues (e.g., mXSS).
Given these issues and with typical developer use cases in mind, we will present our current prototype and its security considerations. In the end, we invite security researchers and developers to test and develop against this new API.
Frederik Braun defends Mozilla Firefox as a Staff Security Engineer in Berlin. He's also a member of the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard. When not at work, Frederik goes on long bike treks across Europe with his wife and two kids.