The zero-days are numbered  | The Mozilla Blog Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.

blog.mozilla.org/en/privacy-s...

Applied Cryptography: Free Online Course for 50 Lebanese University Students This Summer We're opening 50 spots for students at Lebanese universities to take the Applied Cryptography course online, completely free of charge, starting June 2026. Applications are open now.

Major announcement: My highly successful Applied Cryptography course taught last year at the American University of Beirut is returning as an online course, available for FREE for any qualifying student from any Lebanese university!

Read more + apply today — and please spread the word!

Next up, 'Improving the Trustworthiness of Javascript on the Web', presented by Michael Rosenberg, Giulio Berra, Ezzudin Alkotob, and Dennis Jackson

#realworldcrypto

OK, ok. I'll stop blogging for today. I promise.

Composing Sanitizer configurations (https://frederikbraun.de/composable-sanitizers.html The HTML Sanitizer API allows multiple ways to customize the default allow list and this blog post aims to describe a few variations and tricks we came up with while writing the specification.

hat-tip to @shhnjk.bsky.social 🤓

New blog post: Perfect types with `setHTML()` - frederikbraun.de/perfect-types-with-setht... - TLDR: Use require-trusted-types-for 'script'; trusted-types 'none'; in your CSP and nothing besides setHTML() works, essentially removing all DOM-XSS risks....

HTML Sanitizer API browser support list with unsupported Safari being poked with a stick by the White Ninja meme

c'mon Safari

704: Sanitizer API with Frederik Braun We talk with Frederik Braun from Mozilla about the Sanitizer API, how it works with HTML tags and web components, what it does with malformed HTML, and where CSP fits in alongside the Sanitizer API…

I was invited to join the @shoptalkshow.com podcast and talk about my favorite topic. The HTML Sanitizer API and `setHTML()`. Give it a spin in your favorite podcast player :) shoptalkshow.com/704/

we did a thing! Congrats to the team for getting this out.

P.S. this account is write-only. I will only post announcements and blog post links. If you want to reach me, try mastodon or email m

this is your regular reminder that centralized, single-ownership social media is doomed

Sponsor @jub0bs on GitHub Sponsors infosec enthusiast • Go developer & trainer • minimalist • chaotic good • trying to make sense of the Web • he/him

⚡ I've been contributing micro-optimisations to Go's standard library in my spare time: github.com/golang/go/co...

💸 I don't intend to stop any time soon, but if you benefit from my work and would like to support it, consider sponsoring me on GitHub: github.com/sponsors/jub...

#golang #OpenSource

The Open Source Cryptography Workshop is returning for 2026, before Real World Crypto in Taipei. We are calling for session proposals, both presentations and hands-on workshops, on topics of interest to those who work on and with open source crypto. oscwork.shop/2026 #oscw #rwc #oscw2026 #rwc2026

decoder hosted the session.

Oh noes. Well see you next time, I suppose? On the upside, the talk was recorded. :)

[39c3] Lightning Talks - Tag 2 - **Lightning Talks Introduction** - **Chaos auf der Schiene: Die Wahrheit hinter den Verspätungen** — *poschi* - **EventFahrplan - The 39C3 Fahrplan App for Android** — *tbsprs* - **Quantum computing...

Hey #39c3. Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. Tomorrow (day 2), at approximately 12:25 - events.ccc.de/congress/202...

Hey #39c3, chat me up if you want to talk about web security, browser security. I will be one of the tall dudes with a Firefox hoodie :)

lol, bsky wanting everyone's my birthday.

Follow me on mastodon, you cowards.

New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html

New blog post. Something off-topic to feed the search engine. A bug in Lego Star Wars: The Complete Saga (2007). frederikbraun.de/lego-star-wars-complete-...

Handling of `<a href="data:...">` · Issue #352 · WICG/sanitizer-api We allow anchors in the default configuration and only restrict javascript: URLs. data: URLs (especially inside an iframe) might look like XSS: https://x.com/KwanAleister/status/1985542748930523233...

We had a first good outcome already (via Twitter). While `data` URLs are not what I would consider an XSS in the page, I still see it as a confusion that we should address head on. We have an issue filed in github.com/WICG/sanitiz... :)

(Terms and conditions apply. Bounty payouts are at the discretion of the bug bounty committee etc. etc. But yes. Bugs in the sanitizer are eligible.)

I don't know who needs a kitty headbutt right now, but here's one for you

YES! :)

Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
portswigger-labs.net/mxss/

Set HTMLSanitizer ✅
Auto update ✅

I'm trying to break it, I encourage you to break it too

Hej!

We are thrilled to announce Hack.lu CTF 2025 starts on Friday, October 17.

Top teams can win prizes from our sponsors: OffensiveCon, Zellic, PortSwigger, Binary Ninja, and HackTheBox.

All information on flu.xxx

Eine riesige Verbesserung der Lebensqualität. Vielen Dank für Ihren Einsatz! An wen schreibe ich einen höflichen Brief, dass die Ladebereiche vielleicht einen abgesenkten Bordstein für einfacheres Entladen bekommen könnten? InfraVelo oder Bezirksamt? Oder reicht hier? ;-)

Text exceeds alt capacity.

I'm in a phenomenal talk on gender inequality in cybersecurity this morrning and this is such a great cheat sheet for intersectional fair employment.