search

knockout / knockout

Knockout makes it easier to create rich, responsive UIs with JavaScript
http://knockoutjs.com/
Other
10.43k stars 1.52k forks source link

Add support for Trusted Types #2579

Open shhnjk opened 2 years ago

shhnjk commented 2 years ago

Trusted Types helps prevent DOM-based XSS to appear on Web applications.

Given that jQuery also support Trusted Types, adding support for Trusted Types to Knockout would be a good idea.

Most of the changed would be to pass given html without modification, especially if the html is a TrustedHTML. This means if we add support for the Trusted Types AND a web developer would like to enforce Trusted Types, following code would not work.

<!-- DOM-based XSS -->
<p>Name: <strong data-bind="html: decodeURI(location.hash.slice(1))"></strong></p>

Instead, above code has to changed to something safer.

<p>Name: <strong data-bind="html: userName"></strong></p>
<script>
    const policy = trustedTypes.createPolicy('app-policy', {
        createHTML: input => {
            return sanitze(input);
        }
    });

    function AppViewModel() { 
        this.userName = policy.createHTML(decodeURI(location.hash.slice(1)));  
    } 

    ko.applyBindings(new AppViewModel());
</script>