Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TrustedTypes when setting innerHTML #401

Open
nolanlawson opened this issue Mar 2, 2024 · 0 comments
Open

Use TrustedTypes when setting innerHTML #401

nolanlawson opened this issue Mar 2, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@nolanlawson
Copy link
Owner

We set innerHTML here:

emoji-picker-element/src/picker/components/Picker/utils.js

Lines 15 to 16 in ddb6aa3

const template = document.createElement('template')
template.innerHTML = htmlString

This string is inherently safe because it's authored in this codebase and does not include any user-supplied data. However, if a server has a Trusted Types CSP policy, it would throw an error here.

One strategy Lit uses is to set their own custom TrustedTypes policy: lit/lit#1772

I'm a little hesitant to do this though until the API gains wider browser adoption. It's been Chromium-only for years, and the standards positions from WebKit/Firefox seem inconclusive: WebKit/standards-positions#186 mozilla/standards-positions#20
@nolanlawson nolanlawson added the enhancement New feature or request label Mar 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nolanlawson