Element.innerHTML - add info trusted types #40423
Conversation
github-actions
bot
added
Content:WebAPI
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Preview URLs External URLs (2)URL:
(comment last updated: 2025-08-04 01:11:40) |
hamishwillee
force-pushed
the
element-innerhtml_tt
branch
from
24677d9 to
cfaddcf
Compare
hamishwillee
requested review from
sideshowbarker and
wbamberg
and removed request for
a team
|
FYI @lukewarlow @wbamberg - this is the trusted types update for All the examples use trustedHTML. This also shows the first live example use of the tinyfill in the docs. This is duplication with the main docs, but it feels very practical to me given the current state of trustedtypes. |
hamishwillee
force-pushed
the
element-innerhtml_tt
branch
from
8b5583a to
482eccd
Compare
|
Thanks @wbamberg ! Feedback for the first document integrated. Much appreciated. |
| While not required for this example, below we follow the recommendation of defining a policy to create {{domxref("TrustedHTML")}} objects from the input (we should also enforce the policy `safe-content-policy` using CSP). | ||
| In this case we know the input is safe so this policy passes it through without modification. | ||
| The commented code shows how you might instead use the "DOMPurify" library to sanitize content that wasn't trusted. |
There was a problem hiding this comment.
Similarly to the other example, I wonder about whether we should give people guidance like "we know the input is safe so this policy passes it through without modification".
I suppose part of the issue here is that you want to make it a live sample, but you can't do that and use DOMPurify, so it's hard to make it a "real" example.
One option would be, keep the same code but change the guidance from "we don't need a policy that does anything here" to "in order for this example to work without a third-party dependency, we've implemented a no-op policy here, but you shouldn't do this in real life".
Another option would be to stop making this a live sample, and use DOMPurify, but that would be sad because we want to show the effect of position.
Yet a third option would be to implement our own basic sanitizer, but that might be tricky to get right.
I'd love to know what @aaronshim thinks our guidance here ought to be. Is it good practice to have a no-op policy for content that we "know" is safe?
There was a problem hiding this comment.
I've done a modification of "in order for this example to work without a third-party dependency, we've implemented a no-op policy here, but you shouldn't do this in real life".
Its the safest option and the one that most closely matches what we want users to do.
I definitely do not want to remove the live example - it is very helpful for visualising the insert behaviour :-)
There was a problem hiding this comment.
I'd love to know what @aaronshim thinks our guidance here ought to be. Is it good practice to have a no-op policy for content that we "know" is safe?
Me too.
I tend to think that the advice should generally be no - if you want to use these unsafe APIs then you're better always sanitizing. In most cases you'd instead replace using TT and use setHTML() (once supported).
Of course the API itself doesn't care, and if the website has a policy that allows noops then developers will be allowed to use said noop policy.
The more interesting noop question is what you do with setHTMLUnsafe() (once supported) - the case where you know you have unsafe strings, but you perhaps need to allow them anyway. If that is a valid case, my contention is that you'd have a noop trusted type to avoid double sanitization.
That's a problem for #40420 (comment)
There was a problem hiding this comment.
I'm happy with your choice here and let's merge it. We can always follow up if Aaron recommends something else.
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
element-innerhtml_tt
branch
from
482eccd to
64f8ca9
Compare
|
No, thanks for the review and all the great advice @wbamberg . I feel better that we're finally getting these updated. |
This updates the following properties to explain how they are used with TrustedTypes:
Element.innerHTMLElement.insertAdjacentHTML()This is in progress:
This does not mention the sanitizer methods as alternatives since the
setHTML()is not implemented anywhere, and the sanitizer insetHTMLUnsafe()is not yet implemented. We're in separate discussion on those and when they are in a release we can revisit.Part of #37518 (tracking issue)