this post was submitted on 22 Dec 2023
153 points (97.5% liked)
Technology
58757 readers
4376 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
But mozilla to the rescue : https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
So it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?
Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does...