alt Hacker NewsI mean... "as configured" can me either an allow OR a denylist. That sentence doesn't really prescribe doing it one way or the other..? You have to parse the denylisted elements because they will affect the rest of the parse, so you _have_ to remove them afterwards in the general case.
Looks like it supports both actually: https://wicg.github.io/sanitizer-api/#sanitization
That's better than only supporting `removeElements`, but it really shouldn't support it at all.