DOMPurify and Trusted Types - Clarification to Docs about dompurify HOT 9 CLOSED

Hmmmm, so the idea is that the policy method returns a string, correct?

from dompurify.

Returning a string loses some type information, namely that the string contains a sanitized string. Is there any option within trustedTypes to allow the policy to accept a function that returns TrustedHTML?

from dompurify.

I am not sure what you mean, could you clarify a bit more what you want to achieve, what does not work and whether this is a DOMPurify issue or a general TrustedType question?

What do you mean with "This does not work"?

from dompurify.

I think CreateHTMLCallback from Trusted Types spec by design expects DOMString return type, not TrustedHTML interface. So I don't think your first example is a bug, I think it works as expected.

+1 on providing more complete example in the docs of the correct usage, this could certainly help others who are new to using DOMPurify with Trusted Types

from dompurify.

Ooooh, okay, now this makes sense, thank you @tosmolka 🙂

About the README, happy to update, please define "more complete", what needs to be added? I am unsure what to best recommend - since I want to refrain from recommending strings after all.

from dompurify.

@cancan101 Please let us know what you have in mind with a more comprehensive example, happy to update the README once we know (also feel free to send over a PR if that is easier).

from dompurify.

Perhaps something along the line of:

// to create a Policy in trustedTypes using DOMPurify
// RETURN_TRUSTED_TYPE: false is needed as createHTML expects a normal string rather than TrustedHTML
window.trustedTypes!.createPolicy('default', {
  createHTML: (to_escape) =>
    DOMPurify.sanitize(to_escape, { RETURN_TRUSTED_TYPE: false }),
});

from dompurify.

That works for me, thanks 😄

from dompurify.

We have updated the README, that should do the trick me believes?

from dompurify.