Review feedback

index.bs

@@ -195,7 +195,7 @@ The <dfn for="Document" export>parseHTMLUnsafe</dfn>(|html|, |options|) method s
 1. [=Parse HTML from a string=] given |document| and |compliantHTML|.
 1. Let |sanitizer| be the result of calling [=get a sanitizer instance from options=]
  with |options|.
-1. Call [=sanitize=] on |document|'s [=tree/root|root node=] with |sanitizer|.
+1. Call [=sanitize=] on |document|'s [=tree/root|root node=] with |sanitizer| and false.
 1. Return |document|.
 
 </div>
@@ -211,7 +211,7 @@ The <dfn for="Document" export>parseHTML</dfn>(|html|, |options|) method steps a
 1. [=Parse HTML from a string=] given |document| and |html|.
 1. Let |sanitizer| be the result of calling [=get a sanitizer instance from options=]
  with |options|.
-1. Call [=sanitize=] on |document|'s [=tree/root|root node=] with |sanitizer|.
+1. Call [=sanitize=] on |document|'s [=tree/root|root node=] with |sanitizer| and true.
 1. Return |document|.
 
 </div>
@@ -228,35 +228,35 @@ dictionary SetHTMLOptions {
 </pre>
 
 The {{Sanitizer}} configuration object encapsulates a filter configuration.
-The same config can be used with both safe or unsafe methods. The intent is
+The same config can be used with both safe or unsafe methods, where the safe
+methods perform an implicit {{removeUnsafe}} operation. The intent is
 that one (or a few) configurations will be built-up early on in a page's
 lifetime, and can then be used whenever needed. This allows implementations
 to pre-process configurations.
 
-The configuration object is also query-able and can return
-configuration dictionaries,
-in both safe and unsafe variants. This allows a
-page to query and predict what effect a given configuration will have, or
-to build a new configuration based on an existing one.
+The configuration object can be queried to return a configuration dictionary.
+It can also be modified directly.
 
 <pre class=idl>
 [Exposed=(Window,Worker)]
 interface Sanitizer {
  constructor(optional SanitizerConfig config = {});
 
- // Query configurations:
+ // Query configuration:
  SanitizerConfig get();
- SanitizerConfig getUnsafe();
 
- // Modifying a Sanitizer:
- undefined element(SanitizerElementNamespaceWithAttributes element);
+ // Modify a Sanitizer's lists and fields:
+ undefined allowElement(SanitizerElementNamespaceWithAttributes element);
  undefined removeElement(SanitizerElement element);
- undefined replaceWithChildren(SanitizerElement element);
+ undefined replaceWithChildrenElement(SanitizerElement element);
  undefined allowAttribute(SanitizerAttribute attribute);
  undefined removeAttribute(SanitizerAttribute attribute);
  undefined setComment(boolean allow);
  undefined setDataAttributes(boolean allow);
  undefined setOtherMarkup(boolean allow);
+
+ // Remove markup that executes script. May modify multiple lists:
+ undefined removeUnsafe();
 };
 </pre>
 
@@ -274,20 +274,12 @@ Issue: This abandons all error handling, because setting a config will
 <div algorithm>
 The <dfn for="Sanitizer" export>get</dfn>() method steps are:
 
-1. Return the result of calling [=safeify=] on the result of
- [=Sanitizer/getUnsafe=].
-
-</div>
-
-<div algorithm>
-The <dfn for="Sanitizer" export>getUnsafe</dfn>() method steps are:
-
 1. Return the value of [=this=]'s [=internal slot=].
 
 </div>
 
 <div algorithm>
-The <dfn for="Sanitizer" export>element</dfn>(|element|) method steps are:
+The <dfn for="Sanitizer" export>allowElement</dfn>(|element|) method steps are:
 
 1. Let |name| be the result of [=canonicalize a sanitizer name=] |element| with [=HTML namespace=] as the default namespace.
 1. [=list/Append=] |name| to [=this=]'s [=internal slot=]'s {{SanitizerConfig/elements}} list.
@@ -311,7 +303,7 @@ The <dfn for="Sanitizer" export>removeElement</dfn>(|element|) method steps are:
 
 
 <div algorithm>
-The <dfn for="Sanitizer" export>replaceWithChildren</dfn>(|element|) method steps are:
+The <dfn for="Sanitizer" export>replaceWithChildrenElement</dfn>(|element|) method steps are:
 
 1. Let |name| be the result of [=canonicalize a sanitizer name=] |element| with [=HTML namespace=] as the default namespace.
 1. [=list/Append=] |name| from [=this=]'s [=internal slot=]'s 
@@ -329,7 +321,6 @@ The <dfn for="Sanitizer" export>allowAttribute</dfn>(|attribute|) method steps a
  {{SanitizerConfig/attributes}}.
 1. [=list/Remove=] |name| from [=this=]'s [=internal slot=]'s {{SanitizerConfig/removeAttributes}}.
 
-</div>
 </div>
 
 <div algorithm>
@@ -363,6 +354,14 @@ The <dfn for="Sanitizer" export>setOtherMarkup</dfn>(|allow|) method steps are:
 
 </div>
 
+<div algorithm>
+The <dfn for="Sanitizer" export>removeUnsafe</dfn>() method steps are:
+
+1. Update [=this=]'s [=internal slot=] with the result of calling [=remove unsafe=]
+ on [=this=]'s [=internal slot=].
+
+</div>
+
 ## The Configuration Dictionary ## {#config}
 
 <pre class=idl>
@@ -445,7 +444,7 @@ For the main <dfn>sanitize</dfn> operation, using a {{ParentNode}} |node|, a
 {{Sanitizer}} |sanitizer| and a [=boolean=] |safe|, run these steps:
 
 1. Let |config| be the value of |sanitizer|'s [=internal slot=].
-1. If |safe|, let |config| be the result of calling [=safeify=] on |config|.
+1. If |safe|, let |config| be the result of calling [=remove unsafe=] on |config|.
 1. Call [=sanitize core=] on |node|, |config|, and |safe| (as value for
  handling javascript navigation urls).
 
@@ -516,7 +515,14 @@ template contents). It consistes of these steps:
 ## Configuration Processing ## {#configuration-processing}
 
 <div algorithm>
-To <dfn for="SanitizerConfig">safeify</dfn> a |config|, do this:
+
+Note: While this algorithm is called [=remove unsafe=], we use
+ <a href="#security-considerations">the term "unsafe" strictly in the sense
+ of this spec</a>, to denote content that will
+ execute JavaScript when inserted into the document. In other words, this
+ method will remove oportunities for XSS.
+
+To <dfn for="SanitizerConfig">remove unsafe</dfn> from a |config|, do this:
 
 1. [=Assert=]: The [=built-in safe baseline config=] has
  {{SanitizerConfig/removeElements}} and {{SanitizerConfig/removeAttributes}}
@@ -586,19 +592,6 @@ if there exists an |entry| of |list| that is an [=ordered map=], and where
 
 </div>
 
-<div algorithm>
-Set difference (or set subtraction) is a clone of a set A, but with all members
-removed that occur in a set B:
-To compute the <dfn for="set">difference</dfn> of two [=ordered sets=] |A| and |B|:
-
-1. Let |set| be a new [=ordered set=].
-1. [=list/iterate|For each=] |item| of |A|:
- 1. If |B| does not [=set/contain=] |item|, then [=set/append=] |item|
- to |set|.
-1. Return |set|.
-
-</div>
-
 <div algorithm>
 Equality for [=ordered sets=] is equality of its members, but without
 regard to order: