Merge pull request #800 from dejang/configurable-trusted-types-policy

support TRUSTED_TYPES_POLICY configuration option
cure53 · May 2, 2023 · bb04683 · bb04683
2 parents f3a5f0c + 8dc24e4
commit bb04683
Show file tree

Hide file tree

Showing 11 changed files with 208 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -291,6 +291,15 @@ var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true});
 // use the RETURN_TRUSTED_TYPE flag to turn on Trusted Types support if available
 var clean = DOMPurify.sanitize(dirty, {RETURN_TRUSTED_TYPE: true}); // will return a TrustedHTML object instead of a string if possible
 
+// use a provided Trusted Types policy
+var clean = DOMPurify.sanitize(dirty, {
+    // supplied policy must define createHTML and createScriptURL
+    TRUSTED_TYPES_POLICY: trustedTypes.createPolicy({
+        createHTML(s) { return s},
+        createScriptURL(s) { return s},
+    }
+});
+
 /**
  * Influence how we sanitize
  */
@@ -301,8 +310,8 @@ var clean = DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true});
 var clean = DOMPurify.sanitize(dirty, {SANITIZE_DOM: false});
 
 // enforce strict DOM Clobbering protection via namespace isolation (default is false)
-// when enabled, isolates the namespace of named properties (i.e., `id` and `name` attributes) 
-// from JS variables by prefixing them with the string `user-content-` 
+// when enabled, isolates the namespace of named properties (i.e., `id` and `name` attributes)
+// from JS variables by prefixing them with the string `user-content-`
 var clean = DOMPurify.sanitize(dirty, {SANITIZE_NAMED_PROPS: true});
 
 // keep an element's content when the element is removed (default is true)

diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -130,11 +130,11 @@ function createDOMPurify(window = getGlobal()) {
     }
   }
 
-  const trustedTypesPolicy = _createTrustedTypesPolicy(
+  let trustedTypesPolicy = _createTrustedTypesPolicy(
     trustedTypes,
     originalDocument
   );
-  const emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
+  let emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
 
   const {
     implementation,
@@ -588,6 +588,25 @@ function createDOMPurify(window = getGlobal()) {
       delete FORBID_TAGS.tbody;
     }
 
+    if (cfg.TRUSTED_TYPES_POLICY) {
+      if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
+        throw typeErrorCreate(
+          'TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.'
+        );
+      }
+
+      if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
+        throw typeErrorCreate(
+          'TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.'
+        );
+      }
+
+      // Overwrite existing TrustedTypes policy.
+      trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
+      // Sign local variables in case using the internal policy did not succeed.
+      emptyHTML = trustedTypesPolicy.createHTML('');
+    }
+
     // Prevent further manipulation of configuration.
     // Not available in IE8, Safari 5, etc.
     if (freeze) {