TrustedTypePolicyFactory

The TrustedTypePolicyFactory interface of the Trusted Types API creates policies and allows the verification of Trusted Type objects against created policies.

Properties

TrustedTypePolicyFactory.emptyHTMLRead only
Returns a TrustedHTML object containing an empty string.
TrustedTypePolicyFactory.emptyScriptRead only
Returns a TrustedScript object containing an empty string.
TrustedTypePolicyFactory.defaultPolicyRead only
Returns the default TrustedTypePolicy or null if this is empty.

Methods

TrustedTypePolicyFactory.createPolicy()
Creates a TrustedTypePolicy object that implements the rules passed as policyOptions.
TrustedTypePolicyFactory.isHTML()
When passed a value checks that it is a valid TrustedHTML object.
TrustedTypePolicyFactory.isScript()
When passed a value checks that it is a valid TrustedScript object.
TrustedTypePolicyFactory.isScriptURL()
When passed a value checks that it is a valid TrustedScriptURL object.
TrustedTypePolicyFactory.getAttributeType()
Allows web developers to check whether a Trusted Type is required for an element and attribute, and if so which one.
TrustedTypePolicyFactory.getPropertyType()
Allows web developers to check whether a Trusted Type is required for a property, and if so which one.

Examples

The below code creates a policy with the name "myEscapePolicy" with a function defined for createHTML() which sanitizes HTML.

We then use the policy to sanitize a string, creating a TrustedHTML object, escaped. This object can be tested with isHTML() to ensure that it was created by one of our policies.

const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/\>/g, "<")
});

const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");

console.log(trustedTypes.isHTML(escaped)) // true;

Specifications

Specification
Trusted Types
# trusted-type-policy-factory

Browser compatibility

BCD tables only load in the browser