Re-write default handling and supply default values.

[otherdaniel]

This PR

• distinguishes between built-ins (non-overridable) and defaults (what you get without an explicit config)
• makes the default an allow-list (plus a provisional allow list for attributes)
• I snuck in special-casing for <template>

The first commit defined the built-ins as a block-list; the second also as an allow-list.
I find the second one to be somewhat harder to read. (E.g. it's more difficutl to find the difference between built-in and default lists.)

[mozfreddyb]

I don't think we want a blanket allow-boolean for this case (and the attribute case below). I think we should ask developers to specifically list the elements & attributes they need.

I know this puts an extra onus on e.g., framework authors, but I'd rather do this than provide a footgun that turns this into a security bug. Happy to debate this further.

[otherdaniel]

I'm not sure I agree, honestly. I'll remove them in the next update, but I guess I'll make an attempt at getting them back in again. :)

[mozfreddyb]

Same nit as above, plus I'd prefer we figure out a way to name it once in the spec and then reference it from there instead of having it fully enumerated in two places.

[otherdaniel]

Not sure I agree. The baseline and the default config will differ in subtle ways. Otherwise, we could just merge them again.

Arguably, it'd make sense to have an easier way to construct them, like:
default = { allowElement: baseline.allowElements + ["bla", "bla", "blubb"] }
Or so. That'd likely be much easier to understand.

Incidentally, today someone brought up exactly that point when discussing allowUnknownElements. So if someone wants to add an "unknown" element to the list, they shouldn't have to research and repeat the entire allow-list. I guess we're missing a mechanism there.

(Could be: Default config exposed, so people can easily build on it. Or every Sanitizer exposes their config. Or "inheritance", where you name a "parent" Sanitizer. Or... )

[otherdaniel]

Would it make sense to add a (non-normative, I guess?) section that explains how the values were constructed? Ideally in executable form.

Something like: https://github.com/otherdaniel/purification/blob/default-construction/resources/configurations.html

The idea is that one can copy&paste the results into the spec (or generate them as part of the deploy script). If all goes well, the code version could be more easily readable & modifyable than the spec version, but we'd still have a definite version in the spec.

[otherdaniel]

I've run these files through a tool called json_pp (JSON pretty print) that I found on my machine. I'm not sure this format is the best, but it's very diff-able.

[otherdaniel]

I've uploaded a re-write of this PR. I'll re-add actual default values next.
@mozfreddyb could you take a quick look and offer an opinion on whether this is going in the right direction?

[otherdaniel]

I've also (re-) added actual default values, as well as a script that computes them. The intention is that the script is easier to understand and modify, but we'd still have exact values in the spec. I'd appreciate another round of reviews, looking both at the actual default values, as well as the mechanics for how we construct them.

[mozfreddyb]

Thanks for the hard work! Sorry it took me so long.

[mozfreddyb]

oh darn. merging #70 before this made this a revision with merge conflicts. 😖

[mozfreddyb]

let's land this :)

[otherdaniel]

Landed! :)