[This is chiefly a note to make sure this item won't get lost when transitioning this spec to HTML.]
The HTML parser processes a handful of markup during parsing, meaning it won't reach the Sanitizer. This can be handled in different ways, either by querying the sanitizer during parsing, or by fixing it up after parsing. Examples are:
Either are fine; but it seems sensible to make sure all of these use the same mechanism. Given that HTML upstreaming puts this into the same spec as the parser, that opens up the opportunity to actually do so.
[This is chiefly a note to make sure this item won't get lost when transitioning this spec to HTML.]
The HTML parser processes a handful of markup during parsing, meaning it won't reach the Sanitizer. This can be handled in different ways, either by querying the sanitizer during parsing, or by fixing it up after parsing. Examples are:
is=attribute is set. Remove custom element state when is attribute is blocked #396 handles this by after-the-fact checking whether anis=attribute was there, and if so fixes up the result.<template>elements withshadowrootmode=attributes into shadow root. Should sanitizer be allowed to remove attributes that create a declarative shadow root? #388 (not resolved yet) seems to trend towards special-casing this in the parser. (Blink also implements it that way.)Either are fine; but it seems sensible to make sure all of these use the same mechanism. Given that HTML upstreaming puts this into the same spec as the parser, that opens up the opportunity to actually do so.