TrustedHTML
The TrustedHTML
interface of the Trusted Types API
represents a string that a developer can insert into an injection sink that will render it as HTML. These objects are created via TrustedTypePolicy.createHTML()
and therefore have no constructor.
The value of a TrustedHTML object is set when the object is created and cannot be changed by JavaScript as there is no setter exposed.
Instance methods
TrustedHTML.toJSON()
-
Returns a JSON representation of the stored data.
TrustedHTML.toString()
-
A string containing the sanitized HTML.
Examples
In the below example we create a policy that will create TrustedHTML
objects using TrustedTypePolicyFactory.createPolicy()
. We can then use TrustedTypePolicy.createHTML
to create a sanitized HTML string to be inserted into the document.
The sanitized value can then be used with Element.innerHTML
to ensure that no new HTML elements can be injected.
html
<div id="myDiv"></div>
js
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
createHTML: (string) => string.replace(/>/g, "<"),
});
let el = document.getElementById("myDiv");
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(escaped instanceof TrustedHTML); // true
el.innerHTML = escaped;
Specifications
Specification |
---|
Trusted Types # trusted-html |
Browser compatibility
BCD tables only load in the browser