Merge pull request #699 from tosmolka/tosmolka/660

Support sanitization of attributes that require Trusted Types
cure53 · Jul 18, 2022 · 2fe2a34 · 2fe2a34
2 parents 52c8eb1 + 4ec6d6f
commit 2fe2a34
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/src/purify.js b/src/purify.js
@@ -55,6 +55,9 @@ const _createTrustedTypesPolicy = function (trustedTypes, document) {
       createHTML(html) {
         return html;
       },
+      createScriptURL(scriptUrl) {
+        return scriptUrl;
+      },
     });
   } catch (_) {
     // Policy creation failed (most likely another DOMPurify script has
@@ -1202,6 +1205,28 @@ function createDOMPurify(window = getGlobal()) {
         continue;
       }
 
+      /* Handle attributes that require Trusted Types */
+      if (
+        trustedTypesPolicy &&
+        typeof trustedTypes === 'object' &&
+        typeof trustedTypes.getAttributeType === 'function'
+      ) {
+        if (namespaceURI) {
+          /* Namespaces are not yet supported, see https://bugs.chromium.org/p/chromium/issues/detail?id=1305293 */
+        } else {
+          switch (trustedTypes.getAttributeType(lcTag, lcName)) {
+            case 'TrustedHTML':
+              value = trustedTypesPolicy.createHTML(value);
+              break;
+            case 'TrustedScriptURL':
+              value = trustedTypesPolicy.createScriptURL(value);
+              break;
+            default:
+              break;
+          }
+        }
+      }
+
       /* Handle invalid data-* attribute set by try-catching it */
       try {
         if (namespaceURI) {