TrustedTypePolicy

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Note: This feature is available in Web Workers.

The TrustedTypePolicy interface of the Trusted Types API defines a group of functions which create TrustedType objects.

A TrustedTypePolicy object is created by TrustedTypePolicyFactory.createPolicy() to define a policy for enforcing security rules on input. Therefore, TrustedTypePolicy has no constructor.

Instance properties

TrustedTypePolicy.name Read only: A string containing the name of the policy.

Instance methods

TrustedTypePolicy.createHTML(): Creates a TrustedHTML object.
TrustedTypePolicy.createScript(): Creates a TrustedScript object.
TrustedTypePolicy.createScriptURL(): Creates a TrustedScriptURL object.

In the below example we create a policy that will create TrustedHTML objects using TrustedTypePolicyFactory.createPolicy(). We can then use TrustedTypePolicy.createHTML to create a sanitized HTML string to be inserted into the document.

The sanitized value can then be used with Element.innerHTML to ensure that no new HTML elements can be injected.

html

<div id="myDiv"></div>

const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/>/g, "<"),
});

let el = document.getElementById("myDiv");
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(escaped instanceof TrustedHTML); // true
el.innerHTML = escaped;

Specifications

Specification
Trusted Types # trusted-type-policy

Browser compatibility

BCD tables only load in the browser

Instance properties

Instance methods

Examples

Specifications

Browser compatibility