trusted-types Should "Get Trusted Type compliant string" check `isHTML`/`isScript`/`isScriptURL`?

Should "Get Trusted Type compliant string" check `isHTML`/`isScript`/`isScriptURL`?

Open mbrodesser-Igalia opened this issue 7 months ago • 0 comments

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 1 currently specifies "If input has type expectedType". What does that mean? It seems isHTML (https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-ishtml) / isScript / isScriptURL should be invoked.

The callers of "Get Trusted Type compliant string", e.g.someElement.insertAdjacentHTML (https://html.spec.whatwg.org/#dom-parsing-and-serialization:dom-element-insertadjacenthtml) don't check that either so it should be checked somewhere.

Jul 11 '24 10:07 mbrodesser-Igalia

trusted-types trusted-types copied to clipboard

Should "Get Trusted Type compliant string" check `isHTML`/`isScript`/`isScriptURL`?

trusted-types
trusted-types copied to clipboard