TrustedTypePolicy: createHTML() method

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Note: This feature is available in Web Workers.

The createHTML() method of the TrustedTypePolicy interface creates a TrustedHTML object using a policy created by TrustedTypePolicyFactory.createPolicy().

Syntax

js
createHTML(input)
createHTML(input, args)

Parameters

input

A string containing the string to be sanitized by the policy.

args Optional

Additional arguments to be passed to the function represented by TrustedTypePolicy.

Return value

A TrustedHTML object.

Exceptions

TypeError

Thrown if TrustedTypePolicy does not contain a function to run on the input.

Examples

In the below example a string containing a potentially dangerous script is used as the input for createHTML(). Dangerous code inserted by a user could then be sanitized before insertion into any injection sink.

js
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");

Specifications

Specification
Trusted Types
# dom-trustedtypepolicy-createhtml

Browser compatibility

BCD tables only load in the browser