Skip to content

support TRUSTED_TYPES_POLICY configuration option#800

Merged
cure53 merged 1 commit intocure53:mainfrom
dejang:configurable-trusted-types-policy
May 2, 2023
Merged

support TRUSTED_TYPES_POLICY configuration option#800
cure53 merged 1 commit intocure53:mainfrom
dejang:configurable-trusted-types-policy

Conversation

@dejang
Copy link
Copy Markdown
Contributor

@dejang dejang commented May 1, 2023

Summary

Introducing a new configuration option to allow more flexibility for DOMPurify when used in larger applications which need to handle multiple DOMPurify instances or when allowing a 'dompurify' policy, which DOMPurify attempts to create internally on startup, is not an option.

Background & Context

The feature has been described in #798.
The existing behavior has been maintained, DOMPurify will still try to create its internal policy.

Tasks

  • validate internal 'dompurify' policy is created
  • create a custom TrustedTypes policy. Call DOMPurify.sanitize('<img />', {TRUSTED_TYPES_POLICY: yourPolicy}) and validate call count for the policy method createHTML is 2 (one for emptyHTML and one when initDocument is called)
  • create a custom TrustedTypes policy. Call DOMPurify.sanitize('<img />', {TRUSTED_TYPES_POLICY: yourPolicy, RETURN_TRUSTED_TYPE: true }) and validate call count for the policy method createHTML is 3 (one for emptyHTML, one for initDocument, one for return value)
  • create a custom TrustedTypes policy. Create a new instance of DOMPurify and use .setConfig({TRUSTED_TYPES_POLICY: yourPolicy}) to configure the policy only. Call sanitize('<img />') on the new instance and validate call count for the policy method createHTML is 2 (one for emptyHTML and one when initDocument is called)
  • create a custom TrustedTypes policy. Create a new instance of DOMPurify and use .setConfig({TRUSTED_TYPES_POLICY: yourPolicy, RETURN_TRUSTED_TYPE: true }) to configure the policy and return type to be a TrustedType. Call sanitize('<img />') and validate call count for the policy method createHTML is 3 (one for emptyHTML, one for initDocument, one for return value)

@dejang dejang force-pushed the configurable-trusted-types-policy branch from 9a49d6b to 8dc24e4 Compare May 1, 2023 15:59
caridy
caridy reviewed May 1, 2023
View reviewed changes
Copy link
Copy Markdown

@caridy caridy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cure53
Copy link
Copy Markdown
Owner

cure53 commented May 2, 2023

This looks fantastic, thanks :)

@cure53 cure53 merged commit bb04683 into cure53:main May 2, 2023
@dejang dejang mentioned this pull request May 3, 2023
Merged
StefanNo1

This comment was marked as spam.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@caridy caridy caridy left review comments

@StefanNo1 StefanNo1 StefanNo1 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dejang @cure53 @caridy @StefanNo1