TrustedTypePolicyFactory
The TrustedTypePolicyFactory
interface of the Trusted Types API
creates policies and allows the verification of Trusted Type objects against created policies.
Properties
TrustedTypePolicyFactory.emptyHTML
Read only-
Returns a
TrustedHTML
object containing an empty string. TrustedTypePolicyFactory.emptyScript
Read only-
Returns a
TrustedScript
object containing an empty string. TrustedTypePolicyFactory.defaultPolicy
Read only-
Returns the default
TrustedTypePolicy
or null if this is empty.
Methods
TrustedTypePolicyFactory.createPolicy()
-
Creates a
TrustedTypePolicy
object that implements the rules passed aspolicyOptions
. TrustedTypePolicyFactory.isHTML()
-
When passed a value checks that it is a valid
TrustedHTML
object. TrustedTypePolicyFactory.isScript()
-
When passed a value checks that it is a valid
TrustedScript
object. TrustedTypePolicyFactory.isScriptURL()
-
When passed a value checks that it is a valid
TrustedScriptURL
object. TrustedTypePolicyFactory.getAttributeType()
-
Allows web developers to check whether a Trusted Type is required for an element and attribute, and if so which one.
TrustedTypePolicyFactory.getPropertyType()
-
Allows web developers to check whether a Trusted Type is required for a property, and if so which one.
Examples
The below code creates a policy with the name "myEscapePolicy"
with a function defined for createHTML()
which sanitizes HTML.
We then use the policy to sanitize a string, creating a TrustedHTML
object, escaped
. This object can be tested with isHTML()
to ensure that it was created by one of our policies.
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
createHTML: (string) => string.replace(/\>/g, "<")
});
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(trustedTypes.isHTML(escaped)) // true;
Specifications
Specification |
---|
Trusted Types # trusted-type-policy-factory |
Browser compatibility
BCD tables only load in the browser