Closed cancan101 closed 3 months ago
Hmmmm, so the idea is that the policy method returns a string, correct?
Returning a string loses some type information, namely that the string contains a sanitized string. Is there any option within trustedTypes
to allow the policy to accept a function that returns TrustedHTML
?
I am not sure what you mean, could you clarify a bit more what you want to achieve, what does not work and whether this is a DOMPurify issue or a general TrustedType question?
What do you mean with "This does not work"?
I think CreateHTMLCallback
from Trusted Types spec by design expects DOMString
return type, not TrustedHTML interface. So I don't think your first example is a bug, I think it works as expected.
+1 on providing more complete example in the docs of the correct usage, this could certainly help others who are new to using DOMPurify with Trusted Types
Ooooh, okay, now this makes sense, thank you @tosmolka :slightly_smiling_face:
About the README, happy to update, please define "more complete", what needs to be added? I am unsure what to best recommend - since I want to refrain from recommending strings after all.
@cancan101 Please let us know what you have in mind with a more comprehensive example, happy to update the README once we know (also feel free to send over a PR if that is easier).
Perhaps something along the line of:
// to create a Policy in trustedTypes using DOMPurify
// RETURN_TRUSTED_TYPE: false is needed as createHTML expects a normal string rather than TrustedHTML
window.trustedTypes!.createPolicy('default', {
createHTML: (to_escape) =>
DOMPurify.sanitize(to_escape, { RETURN_TRUSTED_TYPE: false }),
});
That works for me, thanks :smile:
We have updated the README, that should do the trick me believes?
This issue proposes an improvement to the README which clarifies how to use
DOMPurify.sanitize
along withtrustedTypes.createPolicy
, specifically when using Typescript.Background & Context
I am trying to create a
trustedTypes
policy and to useDOMPurify.sanitize
in thecreateHTML
. I am trying to do this in Typescript without resorting toany
.I have read the docs here: https://github.com/cure53/DOMPurify?tab=readme-ov-file#what-about-dompurify-and-trusted-types and looked at other usage in GitHub and and am confused.
Bug
This does not work (ie TS won't compile due to type issues):
whereas both of these work:
and
Should I just use one of those two options or is there a way to get this to work with
RETURN_TRUSTED_TYPE: true
without having to resort totoString
orany
?Feature
I suggest providing an more complete example in the docs of the correct usage.