feat(@types/react): add Trusted Types support for {ScriptHTMLAttributes, SVGAttributes, IframeHTMLAttributes}

[yesudeep]

trafficstars

feat(@types/react): add Trusted Types support for {ScriptHTMLAttributes, SVGAttributes, IframeHTMLAttributes}

Align React's DOM/JSX type definitions with the W3C Trusted Types specification to improve type safety and help prevent DOM-based Cross-Site Scripting (XSS) vulnerabilities at compile time.

RATIONALE:

Trusted Types is a Web browser security feature that helps prevent DOM XSS by ensuring that potentially dangerous DOM "sinks" (functions or properties like innerHTML or script.src) only accept values that have been explicitly vetted and marked as trusted.

• Sink: A DOM property or function that can execute arbitrary code or render HTML if passed unsanitized strings (e.g., innerHTML, script.src, iframe.srcdoc, eval).

• TrustedHTML: Represents an HTML string that is safe to insert into an HTML sink.

• TrustedScript: Represents a JavaScript code string that is safe to execute in a script sink.

• TrustedScriptURL: Represents a URL string that is safe to use as the source for loading executable script code.

CHANGELOG:

1. Defined TrustedScript and TrustedScriptURL interfaces in global.d.ts (alongside the existing TrustedHTML).
2. The srcDoc attribute (e.g. IframeHTMLAttributes) now accepts TrustedHTML.
3. The src attribute on ScriptHTMLAttributes now accepts TrustedScriptURL.
4. The href and xlinkHref attributes on SVGAttributes accept TrustedScriptURL.

This allows developers using environments where Trusted Types are enforced (via Content Security Policy) to pass Trusted Type objects directly to these props without type errors, encouraging safer coding practices.

REFERENCES:

• W3C Trusted Types Specification
• MDN Web Docs - Trusted Types API
• Content Security Policy 3

Please fill in this template.

• [x] Use a meaningful title for the pull request. Include the name of the package modified.
• [x] Test the change in your own code. (Compile and run.)
• [x] Add or edit tests to reflect the change.
• [x] Follow the advice from the readme.
• [x] Avoid common mistakes.
• [x] Run pnpm test <package to test>.

If changing an existing definition:

• [x] Provide a URL to documentation or source code which provides context for the suggested changes: W3C Trusted Types
• [ ] If this PR brings the type definitions up to date with a new version of the JS library, update the version number in the package.json.

[typescript-bot]

@yesudeep Thank you for submitting this PR! I see this is your first time submitting to DefinitelyTyped 👋 — I'm the local bot who will help you through the process of getting things through.

This is a live comment that I will keep updated.

1 package in this PR

• react — on npm, on unpkg

Code Reviews

Because this is a widely-used package, a DT maintainer will need to review it before it can be merged.

You can test the changes of this PR in the Playground.

Status

• ✅ No merge conflicts
• ✅ Continuous integration tests have passed
• 🕐 Most recent commit is approved by a DT maintainer

Once every item on this list is checked, I'll ask you for permission to merge and publish the changes.

Inactive

This PR has been inactive for 23 days — it is considered nearly abandoned!

---

Diagnostic Information: What the bot saw about this PR

{
  "type": "info",
  "now": "-",
  "pr_number": 72609,
  "author": "yesudeep",
  "headCommitOid": "d09374bc42d4a24794a6734229b2053dc53f174c",
  "mergeBaseOid": "1ba22ccfabc63d96ea75922df24043a9cbccf147",
  "lastPushDate": "2025-04-26T08:31:52.000Z",
  "lastActivityDate": "2025-06-10T10:57:46.000Z",
  "hasMergeConflict": false,
  "isFirstContribution": true,
  "tooManyFiles": false,
  "hugeChange": false,
  "popularityLevel": "Critical",
  "pkgInfo": [
    {
      "name": "react",
      "kind": "edit",
      "files": [
        {
          "path": "types/react/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/ts5.0/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/v18/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/v18/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/v18/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/ts5.0/v18/ts5.0/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/v18/ts5.0/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/ts5.0/v18/ts5.0/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/v16/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v16/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v16/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/v17/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v17/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v17/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/v18/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v18/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v18/test/index.ts",
          "kind": "test"
        },
        {
          "path": "types/react/v18/ts5.0/global.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v18/ts5.0/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/react/v18/ts5.0/test/index.ts",
          "kind": "test"
        }
      ],
      "owners": [
        "johnnyreilly",
        "bbenezech",
        "pzavolinsky",
        "ericanderson",
        "DovydasNavickas",
        "theruther4d",
        "guilhermehubner",
        "ferdaber",
        "jrakotoharisoa",
        "pascaloliv",
        "hotell",
        "franklixuefei",
        "Jessidhia",
        "saranshkataria",
        "lukyth",
        "eps1lon",
        "zieka",
        "dancerphil",
        "dimitropoulos",
        "disjukr",
        "vhfmag",
        "priyanshurav",
        "Semigradsky",
        "mattpocock"
      ],
      "addedOwners": [],
      "deletedOwners": [],
      "popularityLevel": "Critical"
    }
  ],
  "reviews": [
    {
      "type": "changereq",
      "reviewer": "eps1lon",
      "date": "2025-06-10T10:57:46.000Z"
    },
    {
      "type": "approved",
      "reviewer": "melissamforbs",
      "date": "2025-05-08T07:31:17.000Z",
      "isMaintainer": false
    }
  ],
  "mainBotCommentID": 2831972232,
  "ciResult": "pass"
}

[typescript-bot]

🔔 @johnnyreilly @bbenezech @pzavolinsky @ericanderson @DovydasNavickas @theruther4d @guilhermehubner @ferdaber @jrakotoharisoa @pascaloliv @hotell @franklixuefei @Jessidhia @saranshkataria @lukyth @eps1lon @zieka @dancerphil @dimitropoulos @disjukr @vhfmag @priyanshurav @Semigradsky @mattpocock — please review this PR in the next few days. Be sure to explicitly select Approve or Request Changes in the GitHub UI so I know what's going on.

[yesudeep]

@typescript-bot added tests.

[yesudeep]

We only added trusted types support to React 19. Are you sure this works for all the versions you added?

@eps1lon we've been using a patched @types/react internally with React 18 and Next.js to support Trusted Types. We haven't used it with React 17 or older. Do you prefer avoiding these changes for older versions of React? I can revert these changes for them.

[eps1lon]

we've been using a patched @types/react internally with React 18 and Next.js to support Trusted Types

But is React 18 actually supporting trusted types or does it just work by virtue of calling toString on the trusted types?

[typescript-bot]

Re-ping @johnnyreilly, @bbenezech, @pzavolinsky, @ericanderson, @DovydasNavickas, @theruther4d, @guilhermehubner, @ferdaber, @jrakotoharisoa, @pascaloliv, @hotell, @franklixuefei, @Jessidhia, @saranshkataria, @lukyth, @eps1lon, @zieka, @dancerphil, @dimitropoulos, @disjukr, @vhfmag, @priyanshurav, @Semigradsky, @mattpocock:

This PR has been out for over a week, yet I haven't seen any reviews.

Could someone please give it some attention? Thanks!

[typescript-bot]

It has been more than two weeks and this PR still has no reviews.

I'll bump it to the DT maintainer queue. Thank you for your patience, @yesudeep.

(Ping @johnnyreilly, @bbenezech, @pzavolinsky, @ericanderson, @DovydasNavickas, @theruther4d, @guilhermehubner, @ferdaber, @jrakotoharisoa, @pascaloliv, @hotell, @franklixuefei, @Jessidhia, @saranshkataria, @lukyth, @eps1lon, @zieka, @dancerphil, @dimitropoulos, @disjukr, @vhfmag, @priyanshurav, @Semigradsky, @mattpocock.)

[jakebailey]

This just declares some global interfaces and allows them to be passed, but without those interfaces existing globally, they'll allow anything to be assigned to them (AFAIK). Are these typed declared in the globals via DOM or something already?

[typescript-bot]

@yesudeep One or more reviewers has requested changes. Please address their comments. I'll be back once they sign off or you've pushed new commits. Thank you!

[typescript-bot]

@yesudeep I haven't seen any activity on this PR in more than three weeks, and it still has problems that prevent it from being merged. The PR will be closed on Jul 10th (in a week) if the issues aren't addressed.

[yesudeep]

@typescript-bot parking this PR temporarily. Will take a look at it again in a few days.