Third party compatibility profiles?

[xmo-odoo]

This is a bit of a shower thought I had today, as I learned about the HTML Sanitizer API being developed by the WICG/W3C (an other component of this being the fairly well known DOMPurify by Cure53): each of these has its own set of allowances.

For instance in my understanding ammonia and Sanitizer will strip out form content by default, whereas DOMPurify allows them because they consider the enabler to be autofocus.

And while I think using multiple such sanitizer should not usually be a concern as long as everyone normalises HTML the same way and avoids mXSS (though that can be difficult) it would likely be desirable to have a server-side sanitizer match the client side as well.

Although of course third party crates (or even siblings in the organisation) should be sufficient bridges to handle it, and might make it more reasonable to have full translations from third party configuration formats.