search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
600 stars 70 forks source link

"Get Trusted Type compliant string" is called with "script" instead of "'script'" #542

Open mbrodesser-Igalia opened 1 month ago

mbrodesser-Igalia commented 1 month ago

E.g. from https://html.spec.whatwg.org/#the-insertadjacenthtml()-method.

"Get Trusted Type compliant string" [1] invokes "Should sink type mismatch violation be blocked by Content Security Policy?" [2]. The latter checks for a match of the sinkGroup in step 2.3, which refers to [3] which contains "'sink'".

[1] https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm [2] https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-sink-type-mismatch-violation-be-blocked-by-content-security-policy [3] https://w3c.github.io/trusted-types/dist/spec/#trusted-types-sink-group

petervanderbeken commented 1 month ago

"script" instead of "'script'"