search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
586 stars 68 forks source link

Should SVGScriptElement have an IDL way to set a trusted script value? #512

Open lukewarlow opened 1 month ago

lukewarlow commented 1 month ago

Currently I don't believe there's any sanctioned way to update the contents of an SVG script element (assuming https://github.com/w3c/trusted-types/issues/483 is done so the protection covers them too).

The spec says that we recommend authors use script.textContent, script.innerText or script.text for updating the contents of a script element with a trusted object. Should the same not also hold true for an SVG script element?

As far as I can see this isn't just a spec issue it's also missing from Chrome's implementation.

It would seem to make sense to shadow Node.textContent to the SVGScriptElement type?

lukewarlow commented 1 month ago

(Setting to v2 as it's not a mechanism shipped in Chromium that needs speccing, so isn't urgent)

annevk commented 1 month ago

We should probably define some kind of mixin the two script elements can share. But this doesn't seem like a high priority as you can just use the HTML script element in all cases.