Commit08c56ee

committed

[trustedTypes]: Mark output from@html as untrusted

1 parentb3ba3c7 commit08c56eeCopy full SHA for 08c56ee

File tree

-4

lines changed

-4

lines changed

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ export function html(node, get_value, svg = false, mathml = false, skip_warning`
`97`	`97`	`// Don't use create_fragment_with_script_from_html here because that would mean script tags are executed.`
`98`	`98`	//@html is basically `.innerHTML = ...` and that doesn't execute scripts either due to security reasons.
`99`	`99`	`/*@type {DocumentFragment \| Element} /`
`100`		`-varnode=create_fragment_from_html(html);`
	`100`	`+varnode=create_fragment_from_html(html,/untrusted=/true);`
`101`	`101`
`102`	`102`	`if(svg\|\|mathml){`
`103`	`103`	`node=/*@type {Element} /(get_first_child(node));`

Lines changed: 7 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,13 @@ function create_trusted_html(html) {`
`15`	`15`	`return/*@type {string} /(policy?.createHTML(html)??html);`
`16`	`16`	`}`
`17`	`17`
`18`		`-/*@param {string} html /`
`19`		`-exportfunctioncreate_fragment_from_html(html){`
	`18`	`+/**`
	`19`	`+ *@param {string} html`
	`20`	`+ *@param {boolean} untrusted`
	`21`	`+ */`
	`22`	`+exportfunctioncreate_fragment_from_html(html,untrusted=false){`
`20`	`23`	`varelem=document.createElement('template');`
`21`		`-elem.innerHTML=create_trusted_html(html.replaceAll('<!>','<!---->'));// XHTML compliance`
	`24`	`+html=html.replaceAll('<!>','<!---->');// XHTML compliance`
	`25`	`+elem.innerHTML=untrusted ?html :create_trusted_html(html);`
`22`	`26`	`returnelem.content;`
`23`	`27`	`}`

Comments

(0)