Open mbrodesser-Igalia opened 2 months ago
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 1 currently specifies "If input has type expectedType". What does that mean? It seems isHTML (https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-ishtml) / isScript / isScriptURL should be invoked.
isHTML
isScript
isScriptURL
The callers of "Get Trusted Type compliant string", e.g.someElement.insertAdjacentHTML (https://html.spec.whatwg.org/#dom-parsing-and-serialization:dom-element-insertadjacenthtml) don't check that either so it should be checked somewhere.
someElement.insertAdjacentHTML
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 1 currently specifies "If input has type expectedType". What does that mean? It seems
isHTML
(https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-ishtml) /isScript
/isScriptURL
should be invoked.The callers of "Get Trusted Type compliant string", e.g.
someElement.insertAdjacentHTML
(https://html.spec.whatwg.org/#dom-parsing-and-serialization:dom-element-insertadjacenthtml) don't check that either so it should be checked somewhere.