liriliri / licia

Useful utility collection with zero dependencies
https://licia.liriliri.io
MIT License
2.29k stars 157 forks source link

insertAdjacentHTML breaks TrustedHTML #30

Open JingMatrix opened 1 year ago

JingMatrix commented 1 year ago

Please avoid using insertAdjacentHTML function here: https://github.com/liriliri/licia/blob/4a8e6d412c7d0f5d696def09bf606d3d2d070197/src/%24insert.js#L68

It causes your project Eruda unable to load on websites with Trusted Types API enabled.

JingMatrix commented 1 year ago

I have a simple workaround to load eruda on pages requiring TrustedTypes. threads.net is an example website where Trusted Types API is used without checking policy names using CSP. So in the following workaround, we create a new policy eruda to build TrustedHTML.

https://github.com/JingMatrix/ChromeXt/blob/685f9a07fdb6ca19f24f7e8418e3d178f81bca4d/app/src/main/assets/eruda.js#L5-L19

The above workaround is not perfect, as it didn't cover this usage of innerHTML in luna

https://github.com/liriliri/luna/blob/e1c2374e02f789708461fbb4706e32b9e1de7988/src/dom-highlighter/overlay/tool_highlight.ts#L102

It is better if you to change the source code, so that I don't need to change the js obfuscated codes.