TrustedTypePolicy.createHTML()
The createHTML()
method of the TrustedTypePolicy
interface creates a TrustedHTML
object using a policy created by TrustedTypePolicyFactory.createPolicy()
.
Syntax
var str = TrustedTypePolicy.createHTML(input[,args]);
Parameters
input
- A
DOMString
containing the string to be sanitized by the policy. args
Optional- Additional arguments to be passed to the function represented by
TrustedTypePolicy
.
Return value
A TrustedHTML
object.
Exceptions
TypeError
- Thrown if
TrustedTypePolicy
does not contain a function to run on the input.
Examples
In the below example a string containing a potentially dangerous script is used as the input for createHTML()
. Dangerous code inserted by a user could then be sanitized before insertion into any injection sink.
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
Specifications
Specification | Status | Comment |
---|---|---|
Trusted Types The definition of 'TrustedTypePolicy.createHTML()' in that specification. |
Editor's Draft | Initial definition. |
Browser compatibility
BCD tables only load in the browser