Trusted Types Sink violation with empty input and NAMESPACE

[tosmolka]

Bug

DOMPurify produces unnecessary Trusted Types Sink violation when called with empty input and NAMESPACE option.

Input

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
        <script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.js"></script>
    </head>
    <body>
        <script>
          DOMPurify.sanitize("", {NAMESPACE: "http://www.w3.org/2000/svg"});
        </script>
    </body>
</html>

Given output

Following line produces Trusted Types Sink violation as it tries to assign raw string into Element.innerHTML sink:

DOMPurify/src/purify.js

Line 847 in 4945074

doc.documentElement.innerHTML = IS_EMPTY_INPUT ? '' : dirtyPayload;

Expected output

DOMPurify uses TrustedHTML instead of raw string and no Trusted Types Sink violation is produced