Comments (9)
Hmmmm, so the idea is that the policy method returns a string, correct?
from dompurify.
Returning a string loses some type information, namely that the string contains a sanitized string. Is there any option within trustedTypes
to allow the policy to accept a function that returns TrustedHTML
?
from dompurify.
I am not sure what you mean, could you clarify a bit more what you want to achieve, what does not work and whether this is a DOMPurify issue or a general TrustedType question?
What do you mean with "This does not work"?
from dompurify.
I think CreateHTMLCallback
from Trusted Types spec by design expects DOMString
return type, not TrustedHTML interface. So I don't think your first example is a bug, I think it works as expected.
+1 on providing more complete example in the docs of the correct usage, this could certainly help others who are new to using DOMPurify with Trusted Types
from dompurify.
Ooooh, okay, now this makes sense, thank you @tosmolka 🙂
About the README, happy to update, please define "more complete", what needs to be added? I am unsure what to best recommend - since I want to refrain from recommending strings after all.
from dompurify.
@cancan101 Please let us know what you have in mind with a more comprehensive example, happy to update the README once we know (also feel free to send over a PR if that is easier).
from dompurify.
Perhaps something along the line of:
// to create a Policy in trustedTypes using DOMPurify
// RETURN_TRUSTED_TYPE: false is needed as createHTML expects a normal string rather than TrustedHTML
window.trustedTypes!.createPolicy('default', {
createHTML: (to_escape) =>
DOMPurify.sanitize(to_escape, { RETURN_TRUSTED_TYPE: false }),
});
from dompurify.
That works for me, thanks 😄
from dompurify.
We have updated the README, that should do the trick me believes?
from dompurify.
Related Issues (20)
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
- KEEP_CONTENT remove contents of all ALLOWED_TAGS HOT 2
- <img> xss vulnerability
- MathML Content Markup Removed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.