[Sanitizer API] Add dropAttributes to SanitizerConfig.

Bug: 1116418 Change-Id: I0aedefbba5eb452d6bbcaa934d909b1dbb65c4d5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416590 Commit-Queue: Yifan Luo <lyf@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#813726}

[Sanitizer API] Add dropAttributes to SanitizerConfig.
Bug: 1116418 Change-Id: I0aedefbba5eb452d6bbcaa934d909b1dbb65c4d5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416590 Commit-Queue: Yifan Luo <lyf@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#813726}
81973a81 · Yifan Luo · Commit Bot · ed2b4d43 · 81973a81 · 81973a81
Commit 81973a81 authored Oct 05, 2020 by Yifan Luo Committed by Commit Bot Oct 05, 2020
13 changed files
--- a/third_party/blink/renderer/modules/sanitizer_api/sanitizer.cc
+++ b/third_party/blink/renderer/modules/sanitizer_api/sanitizer.cc
@@ -7,6 +7,7 @@
 #include "third_party/blink/renderer/bindings/core/v8/v8_node_filter.h"
 #include "third_party/blink/renderer/bindings/modules/v8/v8_sanitizer_config.h"
 #include "third_party/blink/renderer/core/dom/document_fragment.h"
+#include "third_party/blink/renderer/core/dom/element.h"
 #include "third_party/blink/renderer/core/dom/node.h"
 #include "third_party/blink/renderer/core/dom/node_traversal.h"
 #include "third_party/blink/renderer/core/editing/serializers/serialization.h"
@@ -14,6 +15,7 @@
 #include "third_party/blink/renderer/platform/bindings/exception_messages.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
 #include "third_party/blink/renderer/platform/bindings/script_state.h"
+#include "third_party/blink/renderer/platform/wtf/text/atomic_string.h"
 #include "third_party/blink/renderer/platform/wtf/vector.h"

 namespace blink {
@@ -33,6 +35,16 @@ Sanitizer::Sanitizer(const SanitizerConfig* config)
    }
    config_->setDropElements(l);
  }
+
+  // Format dropAttributes to lowercases.
+  if (config->hasDropAttributes()) {
+    Vector<String> l;
+    for (const String& s : config->dropAttributes()) {
+      l.push_back(s.LowerASCII());
+      drop_attributes_.push_back(WTF::AtomicString(s.LowerASCII()));
+    }
+    config_->setDropAttributes(l);
+  }
 }

 Sanitizer::~Sanitizer() = default;
@@ -59,7 +71,8 @@ DocumentFragment* Sanitizer::sanitize(ScriptState* script_state,
  fragment->ParseHTML(input, document->QuerySelector("body"));

  // Remove all the elements in the dropElements list.
-  if (config_->hasDropElementsNonNull()) {
+  if (config_->hasDropElementsNonNull() ||
+      config_->hasDropAttributesNonNull()) {
    Node* node = fragment->firstChild();

    while (node) {
@@ -73,13 +86,20 @@ DocumentFragment* Sanitizer::sanitize(ScriptState* script_state,
      String node_name = node->nodeName();
      // If the current element is dropped, remove current element entirely and
      // proceed to its next sibling.
-      if (config_->dropElementsNonNull().Contains(node_name.UpperASCII())) {
+      if (config_->hasDropElementsNonNull() &&
+          config_->dropElementsNonNull().Contains(node_name.UpperASCII())) {
        Node* tmp = node;
        node = NodeTraversal::NextSkippingChildren(*node, fragment);
        tmp->remove();
      } else {
-        // Otherwise, proceed to the next node (preorder, depth-first
+        // Otherwise, remove any attributes to be dropped from the current
+        // element, and proceed to the next node (preorder, depth-first
        // traversal).
+        if (config_->hasDropAttributes()) {
+          for (auto attr : drop_attributes_) {
+            To<Element>(node)->removeAttribute(attr);
+          }
+        }
        node = NodeTraversal::Next(*node, fragment);
      }
    }

--- a/third_party/blink/renderer/modules/sanitizer_api/sanitizer.h
+++ b/third_party/blink/renderer/modules/sanitizer_api/sanitizer.h
@@ -34,7 +34,10 @@ class MODULES_EXPORT Sanitizer final : public ScriptWrappable {
 private:
  // TODO(lyf): Make config_ read-only. The creationOptions getter which
  // asks for the pointer is forbidened by a read-only variable.
+  // TODO(lyf): This could be optimized by dropping config_ and adding
+  // Vector<QualifiedName> for drop_elements.
  Member<SanitizerConfig> config_ = {};
+  Vector<AtomicString> drop_attributes_ = {};
 };

 }  // namespace blink

--- a/third_party/blink/renderer/modules/sanitizer_api/sanitizer_config.idl
+++ b/third_party/blink/renderer/modules/sanitizer_api/sanitizer_config.idl
@@ -6,4 +6,5 @@

 dictionary SanitizerConfig {
  sequence<DOMString>? dropElements;
+  sequence<DOMString>? dropAttributes;
 };
--- a/third_party/blink/web_tests/external/wpt/interfaces/sanitizer-api.tentative.idl
+++ b/third_party/blink/web_tests/external/wpt/interfaces/sanitizer-api.tentative.idl
@@ -10,4 +10,5 @@

 dictionary SanitizerConfig {
  sequence<DOMString>? dropElements;
+  sequence<DOMString>? dropAttributes;
 };
--- a/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-config.tentative-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-config.tentative-expected.txt
+This is a testharness.js-based test.
+FAIL SanitizerAPI creator without config. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI creator with empty config. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI creator with null as config. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI creator with undefined as config. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI creator with config ignore unknown values. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI config is not editable. assert_object_equals: unexpected property "dropAttributes"
+PASS SanitizerAPI creator with config {dropElements: []}.
+FAIL SanitizerAPI creator with config {dropElements: null}. assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI creator with config {dropElements: undefined}. assert_object_equals: unexpected property "dropAttributes"
+PASS SanitizerAPI creator with config {dropElements: 123}.
+PASS SanitizerAPI creator with config {dropElements: div}.
+Harness: the test ran to completion.
+
--- a/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-sanitize.tentative-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-sanitize.tentative-expected.txt
 This is a testharness.js-based test.
-PASS SanitizerAPI sanitize function for string
-PASS SanitizerAPI sanitize function for html fragment
-PASS SanitizerAPI sanitize function for broken html
-PASS SanitizerAPI sanitize function for empty object
-PASS SanitizerAPI sanitize function for number
-PASS SanitizerAPI sanitize function for zeros
-PASS SanitizerAPI sanitize function for arithmetic
-PASS SanitizerAPI sanitize function for empty string
-PASS SanitizerAPI sanitize function for undefined
-PASS SanitizerAPI sanitize function for null
-PASS SanitizerAPI sanitize function for document
-PASS SanitizerAPI sanitize function for html without close tag
-FAIL SanitizerAPI sanitize function for scripts assert_equals: expected "" but got "<script>alert('i am a test')</script>"
-FAIL SanitizerAPI sanitize function for onclick scripts assert_equals: expected "<p>Click.</p>" but got "<p onclick=\"a= 123\">Click.</p>"
-PASS SanitizerAPI sanitize function for invalid config_input
-PASS SanitizerAPI sanitize function for empty dropElements list
-PASS SanitizerAPI sanitize function for test html without close tag with dropElements list ['div']
-PASS SanitizerAPI sanitize function for test script with ["script"] as dropElements list
-PASS SanitizerAPI sanitize function for dropElements list ["test", "i"]}
-PASS SanitizerAPI sanitize function for dropElements list ["I", "AM"]}
-PASS SanitizerAPI sanitize function for dropElements list ["am", "p"]}
-PASS SanitizerAPI sanitize function for dropElements list with invalid values}
+FAIL SanitizerAPI sanitize function for string assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for html fragment assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for broken html assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for empty object assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for number assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for zeros assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for arithmetic assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for empty string assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for undefined assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for null assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for document assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for html without close tag assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for scripts assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for onclick scripts assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for invalid config_input assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for empty dropElements list assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for test html without close tag with dropElements list ['div'] assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for test script with ["script"] as dropElements list assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for dropElements list ["test", "i"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for dropElements list ["I", "AM"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for dropElements list ["am", "p"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitize function for dropElements list with invalid values} assert_object_equals: unexpected property "dropAttributes"
 Harness: the test ran to completion.

--- a/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-sanitizeToString.tentative-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/sanitizer-api/sanitizer-sanitizeToString.tentative-expected.txt
 This is a testharness.js-based test.
-PASS SanitizerAPI sanitizeToString function for string
-PASS SanitizerAPI sanitizeToString function for html fragment
-PASS SanitizerAPI sanitizeToString function for broken html
-PASS SanitizerAPI sanitizeToString function for empty object
-PASS SanitizerAPI sanitizeToString function for number
-PASS SanitizerAPI sanitizeToString function for zeros
-PASS SanitizerAPI sanitizeToString function for arithmetic
-PASS SanitizerAPI sanitizeToString function for empty string
-PASS SanitizerAPI sanitizeToString function for undefined
-PASS SanitizerAPI sanitizeToString function for null
-PASS SanitizerAPI sanitizeToString function for document
-PASS SanitizerAPI sanitizeToString function for html without close tag
-FAIL SanitizerAPI sanitizeToString function for scripts assert_equals: expected "" but got "<script>alert('i am a test')</script>"
-FAIL SanitizerAPI sanitizeToString function for onclick scripts assert_equals: expected "<p>Click.</p>" but got "<p onclick=\"a= 123\">Click.</p>"
-PASS SanitizerAPI sanitizeToString function for invalid config_input
-PASS SanitizerAPI sanitizeToString function for empty dropElements list
-PASS SanitizerAPI sanitizeToString function for test html without close tag with dropElements list ['div']
-PASS SanitizerAPI sanitizeToString function for test script with ["script"] as dropElements list
-PASS SanitizerAPI sanitizeToString function for dropElements list ["test", "i"]}
-PASS SanitizerAPI sanitizeToString function for dropElements list ["I", "AM"]}
-PASS SanitizerAPI sanitizeToString function for dropElements list ["am", "p"]}
-PASS SanitizerAPI sanitizeToString function for dropElements list with invalid values}
+FAIL SanitizerAPI sanitizeToString function for string assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for html fragment assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for broken html assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for empty object assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for number assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for zeros assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for arithmetic assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for empty string assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for undefined assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for null assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for document assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for html without close tag assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for scripts assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for onclick scripts assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for invalid config_input assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for empty dropElements list assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for test html without close tag with dropElements list ['div'] assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for test script with ["script"] as dropElements list assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for dropElements list ["test", "i"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for dropElements list ["I", "AM"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for dropElements list ["am", "p"]} assert_object_equals: unexpected property "dropAttributes"
+FAIL SanitizerAPI sanitizeToString function for dropElements list with invalid values} assert_object_equals: unexpected property "dropAttributes"
 Harness: the test ran to completion.

--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-config.tentative.html
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-config.tentative.html
@@ -8,7 +8,7 @@

 <body>
 <script>
-    const default_option ={dropElements: null};
+    const default_option = {dropElements: null, dropAttributes: null};
    test(t => {
      let s = new Sanitizer();
      assert_true(s instanceof Sanitizer);
@@ -39,21 +39,38 @@
      assert_object_equals(s.creationOptions, default_option);
    }, "SanitizerAPI creator with config ignore unknown values.");

+    // TODO(lyf): Lump following two tests together into a shared function.
    test(t => {
      let options = {dropElements: ["div"]};
      let s = new Sanitizer(options);
      assert_true(s instanceof Sanitizer);
-      assert_object_equals(s.creationOptions, {dropElements: ["DIV"]});
+      assert_object_equals(s.creationOptions, {dropElements: ["DIV"], dropAttributes: null});

      options.dropElements.push("test");
-      assert_object_equals(s.creationOptions, {dropElements: ["DIV"]});
+      assert_object_equals(s.creationOptions, {dropElements: ["DIV"], dropAttributes: null});

      s.creationOptions = {dropElements: ["test", "t"]};
-      assert_object_equals(s.creationOptions, {dropElements: ["DIV"]});
+      assert_object_equals(s.creationOptions, {dropElements: ["DIV"], dropAttributes: null});

      s.creationOptions['dropElements'] = [1,2,3];
-      assert_object_equals(s.creationOptions, {dropElements: ["DIV"]});
-    }, "SanitizerAPI config is not editable.");
+      assert_object_equals(s.creationOptions, {dropElements: ["DIV"], dropAttributes: null});
+    }, "SanitizerAPI config dropElements is not editable.");
+
+    test(t => {
+      let options = {dropAttributes: ["onclick"]};
+      let s = new Sanitizer(options);
+      assert_true(s instanceof Sanitizer);
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: ["onclick"]});
+
+      options.dropAttributes.push("test");
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: ["onclick"]});
+
+      s.creationOptions = {dropAttributes: ["test", "t"]};
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: ["onclick"]});
+
+      s.creationOptions['dropAttributes'] = [1,2,3];
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: ["onclick"]});
+    }, "SanitizerAPI config dropAttributes is not editable.");

    test(t => {
      let s = new Sanitizer({dropElements: []});
@@ -83,6 +100,35 @@
      assert_throws_js(TypeError, _ => {let s = new Sanitizer({dropElements: "div"})});
    }, "SanitizerAPI creator with config {dropElements: div}.");

+
+    test(t => {
+      let s = new Sanitizer({dropAttributes: []});
+      assert_true(s instanceof Sanitizer);
+      assert_equals(s.sanitizeToString("<div>balabala<i>test</i></div>"), "<div>balabala<i>test</i></div>");
+    }, "SanitizerAPI creator with config {dropAttributes: []}.")
+
+    test(t => {
+      let s = new Sanitizer({dropAttributes: null});
+      assert_true(s instanceof Sanitizer);
+      assert_true(s.creationOptions instanceof Object);
+      assert_object_equals(s.creationOptions, default_option);
+    }, "SanitizerAPI creator with config {dropAttributes: null}.")
+
+    test(t => {
+      let s = new Sanitizer({dropAttributes: undefined});
+      assert_true(s instanceof Sanitizer);
+      assert_true(s.creationOptions instanceof Object);
+      assert_object_equals(s.creationOptions, default_option);
+    }, "SanitizerAPI creator with config {dropAttributes: undefined}.");
+
+    test(t => {
+      assert_throws_js(TypeError, _ => {let s = new Sanitizer({dropAttributes: 123})});
+    }, "SanitizerAPI creator with config {dropAttributes: 123}.");
+
+    test(t => {
+      assert_throws_js(TypeError, _ => {let s = new Sanitizer({dropAttributes: "div"})});
+    }, "SanitizerAPI creator with config {dropAttributes: div}.");
+
 </script>
 </body>
 </html>
--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitize.tentative-expected.txt
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitize.tentative-expected.txt
@@ -12,8 +12,7 @@ PASS SanitizerAPI with config: undefined, sanitize function for undefined
 PASS SanitizerAPI with config: null, sanitize function for null
 PASS SanitizerAPI with config: document, sanitize function for document
 PASS SanitizerAPI with config: html without close tag, sanitize function for html without close tag
-FAIL SanitizerAPI with config: scripts, sanitize function for scripts assert_equals: expected "" but got "<script>alert('i am a test')</script>"
-FAIL SanitizerAPI with config: onclick scripts, sanitize function for onclick scripts assert_equals: expected "<p>Click.</p>" but got "<p onclick=\"a= 123\">Click.</p>"
+FAIL SanitizerAPI with config: scripts for default configs, sanitize function for scripts for default configs assert_equals: expected "" but got "<script>alert('i am a test')</script>"
 PASS SanitizerAPI with config: invalid config_input, sanitize function for invalid config_input
 PASS SanitizerAPI with config: empty dropElements list, sanitize function for empty dropElements list
 PASS SanitizerAPI with config: test html without close tag with dropElements list ['div'], sanitize function for test html without close tag with dropElements list ['div']
@@ -22,5 +21,10 @@ PASS SanitizerAPI with config: dropElements list ["test", "i"]}, sanitize functi
 PASS SanitizerAPI with config: dropElements list ["I", "AM"]}, sanitize function for dropElements list ["I", "AM"]}
 PASS SanitizerAPI with config: dropElements list ["am", "p"]}, sanitize function for dropElements list ["am", "p"]}
 PASS SanitizerAPI with config: dropElements list with invalid values}, sanitize function for dropElements list with invalid values}
+PASS SanitizerAPI with config: dropAttributes list ["onclick"] with onclick scripts, sanitize function for dropAttributes list ["onclick"] with onclick scripts
+PASS SanitizerAPI with config: empty dropAttributes list with onclick scripts, sanitize function for empty dropAttributes list with onclick scripts
+PASS SanitizerAPI with config: dropAttributes list ["id"] with onclick scripts, sanitize function for dropAttributes list ["id"] with onclick scripts
+PASS SanitizerAPI with config: dropAttributes list ["ONCLICK"] with onclick scripts, sanitize function for dropAttributes list ["ONCLICK"] with onclick scripts
+FAIL SanitizerAPI with config: dropAttributes list ["data-attribute-with-dashes"] with dom dataset js access., sanitize function for dropAttributes list ["data-attribute-with-dashes"] with dom dataset js access. assert_equals: expected "<p id=\"p\">Click.</p><script></script>" but got "<p id=\"p\">Click.</p><script>document.getElementById('p').dataset.attributeWithDashes=123;</script>"
 Harness: the test ran to completion.

--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitize.tentative.html
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitize.tentative.html
@@ -16,7 +16,7 @@

    test(t => {
      let s = new Sanitizer({});
-      assert_object_equals(s.creationOptions, {dropElements: null});
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: null});
      assert_throws_js(TypeError, _ => s.sanitize());
    }, "SanitizerAPI sanitize function without argument should throw an error.");


--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitizeToString.tentative-expected.txt
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitizeToString.tentative-expected.txt
@@ -12,8 +12,7 @@ PASS SanitizerAPI config: undefined, sanitizeToString function for undefined
 PASS SanitizerAPI config: null, sanitizeToString function for null
 PASS SanitizerAPI config: document, sanitizeToString function for document
 PASS SanitizerAPI config: html without close tag, sanitizeToString function for html without close tag
-FAIL SanitizerAPI config: scripts, sanitizeToString function for scripts assert_equals: expected "" but got "<script>alert('i am a test')</script>"
-FAIL SanitizerAPI config: onclick scripts, sanitizeToString function for onclick scripts assert_equals: expected "<p>Click.</p>" but got "<p onclick=\"a= 123\">Click.</p>"
+FAIL SanitizerAPI config: scripts for default configs, sanitizeToString function for scripts for default configs assert_equals: expected "" but got "<script>alert('i am a test')</script>"
 PASS SanitizerAPI config: invalid config_input, sanitizeToString function for invalid config_input
 PASS SanitizerAPI config: empty dropElements list, sanitizeToString function for empty dropElements list
 PASS SanitizerAPI config: test html without close tag with dropElements list ['div'], sanitizeToString function for test html without close tag with dropElements list ['div']
@@ -22,5 +21,10 @@ PASS SanitizerAPI config: dropElements list ["test", "i"]}, sanitizeToString fun
 PASS SanitizerAPI config: dropElements list ["I", "AM"]}, sanitizeToString function for dropElements list ["I", "AM"]}
 PASS SanitizerAPI config: dropElements list ["am", "p"]}, sanitizeToString function for dropElements list ["am", "p"]}
 PASS SanitizerAPI config: dropElements list with invalid values}, sanitizeToString function for dropElements list with invalid values}
+PASS SanitizerAPI config: dropAttributes list ["onclick"] with onclick scripts, sanitizeToString function for dropAttributes list ["onclick"] with onclick scripts
+PASS SanitizerAPI config: empty dropAttributes list with onclick scripts, sanitizeToString function for empty dropAttributes list with onclick scripts
+PASS SanitizerAPI config: dropAttributes list ["id"] with onclick scripts, sanitizeToString function for dropAttributes list ["id"] with onclick scripts
+PASS SanitizerAPI config: dropAttributes list ["ONCLICK"] with onclick scripts, sanitizeToString function for dropAttributes list ["ONCLICK"] with onclick scripts
+FAIL SanitizerAPI config: dropAttributes list ["data-attribute-with-dashes"] with dom dataset js access., sanitizeToString function for dropAttributes list ["data-attribute-with-dashes"] with dom dataset js access. assert_equals: expected "<p id=\"p\">Click.</p><script></script>" but got "<p id=\"p\">Click.</p><script>document.getElementById('p').dataset.attributeWithDashes=123;</script>"
 Harness: the test ran to completion.

--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitizeToString.tentative.html
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/sanitizer-sanitizeToString.tentative.html
@@ -10,7 +10,7 @@
 <script>
    test(t => {
      let s = new Sanitizer({});
-      assert_object_equals(s.creationOptions, {dropElements: null});
+      assert_object_equals(s.creationOptions, {dropElements: null, dropAttributes: null});
      assert_throws_js(TypeError, _ => s.sanitizeToString());
    }, "SanitizerAPI sanitize function without argument should throw an error.");


--- a/third_party/blink/web_tests/wpt_internal/sanitizer-api/support/testcases.sub.js
+++ b/third_party/blink/web_tests/wpt_internal/sanitizer-api/support/testcases.sub.js
 const testcases = [
-  {config_input: {}, config_value: {dropElements: null}, value: "test", result: "test", message: "string"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<b>bla</b>", result: "<b>bla</b>", message: "html fragment"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<a<embla", result: "", message: "broken html"},
-  {config_input: {}, config_value: {dropElements: null}, value: {}, result: "[object Object]", message: "empty object"},
-  {config_input: {}, config_value: {dropElements: null}, value: 1, result: "1", message: "number"},
-  {config_input: {}, config_value: {dropElements: null}, value: 000, result: "0", message: "zeros"},
-  {config_input: {}, config_value: {dropElements: null}, value: 1+2, result: "3", message: "arithmetic"},
-  {config_input: {}, config_value: {dropElements: null}, value: "", result: "", message: "empty string"},
-  {config_input: {}, config_value: {dropElements: null}, value: undefined, result: "undefined", message: "undefined"},
-  {config_input: {}, config_value: {dropElements: null}, value: null, result: "null", message: "null"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<html><head></head><body>test</body></html>", result: "test", message: "document"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<div>test", result: "<div>test</div>", message: "html without close tag"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<script>alert('i am a test')<\/script>", result: "", message: "scripts"},
-  {config_input: {}, config_value: {dropElements: null}, value: "<p onclick='a= 123'>Click.</p>", result: "<p>Click.</p>", message: "onclick scripts"},
-  {config_input: {test: 123}, config_value: {dropElements: null}, value: "test", result: "test", message: "invalid config_input"},
-  {config_input: {dropElements: []}, config_value: {dropElements:[]}, value: "test", result: "test", message: "empty dropElements list"},
-  {config_input: {dropElements: ["div"]}, config_value: {dropElements:["DIV"]}, value: "<div>test</div><c>bla", result: "<c>bla</c>", message: "test html without close tag with dropElements list ['div']"},
-  {config_input: {dropElements: ["script"]}, config_value: {dropElements:["SCRIPT"]}, value: "<script>alert('i am a test')<\/script>", result: "", message: "test script with [\"script\"] as dropElements list"},
-  {config_input: {dropElements: ["test", "i"]}, config_value: {dropElements:["TEST","I"]}, value: "<div>balabala<i>test</i></div><test>t</test>", result: "<div>balabala</div>", message: "dropElements list [\"test\", \"i\"]}"},
-  {config_input: {dropElements: ["I", "AM"]}, config_value: {dropElements:["I", "AM"]}, value: "<div>balabala<am>test</am></div>", result: "<div>balabala</div>", message: "dropElements list [\"I\", \"AM\"]}"},
-  {config_input: {dropElements: ["am", "p"]}, config_value: {dropElements:["AM","P"]}, value: "<div>balabala<i>i</i><p>t</p><test>a</test></div>", result: "<div>balabala<i>i</i><test>a</test></div>", message: "dropElements list [\"am\", \"p\"]}"},
-  {config_input: {dropElements: [123, [], "test", "i"]}, config_value: {dropElements:["123","","TEST","I"]}, value: "<div>balabala<i>test</i></div><test>t</test>", result: "<div>balabala</div>", message: "dropElements list with invalid values}"}
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "test", result: "test", message: "string"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "<b>bla</b>", result: "<b>bla</b>", message: "html fragment"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "<a<embla", result: "", message: "broken html"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: {}, result: "[object Object]", message: "empty object"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: 1, result: "1", message: "number"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: 000, result: "0", message: "zeros"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: 1+2, result: "3", message: "arithmetic"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "", result: "", message: "empty string"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: undefined, result: "undefined", message: "undefined"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: null, result: "null", message: "null"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "<html><head></head><body>test</body></html>", result: "test", message: "document"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "<div>test", result: "<div>test</div>", message: "html without close tag"},
+  {config_input: {}, config_value: {dropElements: null, dropAttributes: null}, value: "<script>alert('i am a test')<\/script>", result: "", message: "scripts for default configs"},
+  {config_input: {test: 123}, config_value: {dropElements: null, dropAttributes: null}, value: "test", result: "test", message: "invalid config_input"},
+  {config_input: {dropElements: []}, config_value: {dropElements:[], dropAttributes: null}, value: "test", result: "test", message: "empty dropElements list"},
+  {config_input: {dropElements: ["div"]}, config_value: {dropElements:["DIV"], dropAttributes: null}, value: "<div>test</div><c>bla", result: "<c>bla</c>", message: "test html without close tag with dropElements list ['div']"},
+  {config_input: {dropElements: ["script"]}, config_value: {dropElements:["SCRIPT"], dropAttributes: null}, value: "<script>alert('i am a test')<\/script>", result: "", message: "test script with [\"script\"] as dropElements list"},
+  {config_input: {dropElements: ["test", "i"]}, config_value: {dropElements:["TEST","I"], dropAttributes: null}, value: "<div>balabala<i>test</i></div><test>t</test>", result: "<div>balabala</div>", message: "dropElements list [\"test\", \"i\"]}"},
+  {config_input: {dropElements: ["I", "AM"]}, config_value: {dropElements:["I", "AM"], dropAttributes: null}, value: "<div>balabala<am>test</am></div>", result: "<div>balabala</div>", message: "dropElements list [\"I\", \"AM\"]}"},
+  {config_input: {dropElements: ["am", "p"]}, config_value: {dropElements:["AM","P"], dropAttributes: null}, value: "<div>balabala<i>i</i><p>t</p><test>a</test></div>", result: "<div>balabala<i>i</i><test>a</test></div>", message: "dropElements list [\"am\", \"p\"]}"},
+  {config_input: {dropElements: [123, [], "test", "i"]}, config_value: {dropElements:["123","","TEST","I"], dropAttributes: null}, value: "<div>balabala<i>test</i></div><test>t</test>", result: "<div>balabala</div>", message: "dropElements list with invalid values}"},
+  {config_input: {dropAttributes: ["onclick"]}, config_value: {dropElements: null, dropAttributes: ["onclick"]}, value: "<p onclick='a= 123'>Click.</p>", result: "<p>Click.</p>", message: "dropAttributes list [\"onclick\"] with onclick scripts"},
+  {config_input: {dropAttributes: []}, config_value: {dropElements: null, dropAttributes: []}, value: "<p onclick='a= 123'>Click.</p>", result: "<p onclick=\"a= 123\">Click.</p>", message: "empty dropAttributes list with onclick scripts"},
+  {config_input: {dropAttributes: ["id"]}, config_value: {dropElements: null, dropAttributes: ["id"]}, value: "<p onclick='a= 123'>Click.</p>", result: "<p onclick=\"a= 123\">Click.</p>", message: "dropAttributes list [\"id\"] with onclick scripts"},
+  {config_input: {dropAttributes: ["ONCLICK"]}, config_value: {dropElements: null, dropAttributes: ["onclick"]}, value: "<p onclick='a= 123'>Click.</p>", result: "<p>Click.</p>", message: "dropAttributes list [\"ONCLICK\"] with onclick scripts"},
+  {config_input: {dropAttributes: ["data-attribute-with-dashes"]}, config_value: {dropElements: null, dropAttributes: ["data-attribute-with-dashes"]}, value: "<p id='p' data-attribute-with-dashes='123'>Click.</p><script>document.getElementById('p').dataset.attributeWithDashes=123;</script>", result: "<p id=\"p\">Click.</p><script></script>", message: "dropAttributes list [\"data-attribute-with-dashes\"] with dom dataset js access."},
 ];