Followup to#4409 and it's PR#4927 which were more like for handling TrustedTypes (TT-agnostic).

With Chrome shipping this API soon (v105https://chromestatus.com/feature/5786893650231296, currently v104) and given the exploits with ".sanitize" (in DomPurify, but also inhttps://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/sanitize, seehttps://web.dev/sanitizer/#api-surface), the TT-agnostic approach currently taken can be insufficient/insecure.

Suggested change:
Instead of using.innerHTML =, jQuery should use.setHTML( ... ) when available (https)/supported by the browser

Advantages:

• all jQuery users immediately have their (possibly insecure) data sanitized - this would be a huge security boost for the web overall
• jQuery users do not need to think of sanitizing things themselves, as it's done automatically
• better performance: when sanitizing TT beforehand (with ".sanitize") it needs to get parsed twice: once when sanitizing and again when it gets inserted to .innerHtml
• https://api.jquery.com/html/#:~:text=only%20alphanumeric%20characters.-,Additional%20Notes%3A,-By%20design%2C%20any can be removed, since this is fixed

Disadvantages:

• breaking change for users that used insecure "onclick=",... in their HTML attributes inserted with .html()/.append(),... (which are incompatible with strict CSP policies anyway though) - this is the cost of XSS mitigation though.

Additional discussion needed:

1. if a trusted type is passed to a jQuery function, should jQuery continue using .innerHTML (instead of .setHTML())?

• Pro: the trusted type was sanitized according to the users needs (e.g. with certain elements allowed, that might not be allowed by default)

• Con: can be insecure (as per above)

2. how would a user pass Sanitizer options to setHtml when using jQuery .html()/.append()/...? Should there be an option for this at all? (if we would keep using .innerHTML for already Trusted Types, there wouldn't be a need for an option, since the user would just sanitize according to his/her needs before passing to jQuery)

Closing thoughts
The current way Trusted Types are handled in jQuery is potentially insecure and still allows for XSS attacks - running afoul of the purpose of Trusted Types.
Furthermore, this minor change, will help make the web safer for users and life easier for developers.