search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
606 stars 74 forks source link

How can policyValue be 'undefined'? #540

Open smaug---- opened 3 months ago

smaug---- commented 3 months ago

https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-process-value-with-a-default-policy step 4 The callbacks are webidl callbacks, so the return value is DOMString? or USVString?, no?

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm seems to then check for undefined too.

@mbrodesser-Igalia @lukewarlow @koto

lukewarlow commented 3 months ago

Yeah I think you're right the undefined would become null through the IDL conversions.

petervanderbeken commented 3 months ago

I've commented on this before (https://github.com/w3c/trusted-types/pull/527/files#r1645882026), these algorithms need to start using https://webidl.spec.whatwg.org/#invoke-a-callback-function