TrustedTypePolicy: createHTML() method
Limited availability
This feature is not Baseline because it does not work in some of the most widely-used browsers.
Note: This feature is available in Web Workers.
The createHTML() method of the TrustedTypePolicy interface creates a TrustedHTML object using a policy created by TrustedTypePolicyFactory.createPolicy().
Syntax
js
createHTML(input)
createHTML(input, args)
Parameters
input-
A string containing the string to be sanitized by the policy.
argsOptional-
Additional arguments to be passed to the function represented by
TrustedTypePolicy.
Return value
A TrustedHTML object.
Exceptions
TypeError-
Thrown if
TrustedTypePolicydoes not contain a function to run on the input.
Examples
In the below example a string containing a potentially dangerous script is used as the input for createHTML(). Dangerous code inserted by a user could then be sanitized before insertion into any injection sink.
js
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
Specifications
| Specification |
|---|
| Trusted Types # dom-trustedtypepolicy-createhtml |