Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support TRUSTED_TYPES_POLICY configuration option #800

Merged
merged 1 commit into from
May 2, 2023
Merged

support TRUSTED_TYPES_POLICY configuration option #800

merged 1 commit into from
May 2, 2023

Conversation

dejang
Copy link
Contributor

@dejang dejang commented May 1, 2023

Summary

Introducing a new configuration option to allow more flexibility for DOMPurify when used in larger applications which need to handle multiple DOMPurify instances or when allowing a 'dompurify' policy, which DOMPurify attempts to create internally on startup, is not an option.

Background & Context

The feature has been described in #798.
The existing behavior has been maintained, DOMPurify will still try to create its internal policy.

Tasks

  • validate internal 'dompurify' policy is created
  • create a custom TrustedTypes policy. Call DOMPurify.sanitize('<img />', {TRUSTED_TYPES_POLICY: yourPolicy}) and validate call count for the policy method createHTML is 2 (one for emptyHTML and one when initDocument is called)
  • create a custom TrustedTypes policy. Call DOMPurify.sanitize('<img />', {TRUSTED_TYPES_POLICY: yourPolicy, RETURN_TRUSTED_TYPE: true }) and validate call count for the policy method createHTML is 3 (one for emptyHTML, one for initDocument, one for return value)
  • create a custom TrustedTypes policy. Create a new instance of DOMPurify and use .setConfig({TRUSTED_TYPES_POLICY: yourPolicy}) to configure the policy only. Call sanitize('<img />') on the new instance and validate call count for the policy method createHTML is 2 (one for emptyHTML and one when initDocument is called)
  • create a custom TrustedTypes policy. Create a new instance of DOMPurify and use .setConfig({TRUSTED_TYPES_POLICY: yourPolicy, RETURN_TRUSTED_TYPE: true }) to configure the policy and return type to be a TrustedType. Call sanitize('<img />') and validate call count for the policy method createHTML is 3 (one for emptyHTML, one for initDocument, one for return value)

@dejang dejang force-pushed the configurable-trusted-types-policy branch from 9a49d6b to 8dc24e4 Compare May 1, 2023 15:59
caridy
caridy reviewed May 1, 2023
View reviewed changes
Copy link

@caridy caridy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cure53
Copy link
Owner

cure53 commented May 2, 2023

This looks fantastic, thanks :)

@cure53 cure53 merged commit bb04683 into cure53:main May 2, 2023
@dejang dejang mentioned this pull request May 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caridy caridy caridy left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dejang @cure53 @caridy