this document requires 'trustedscript' assignment.
// 0. Install the DOMPurify library. npm install --save DOMPurify
// 1. Create a file trusted-security-policies.js
// 2. In the entry point for your bundler (like e.g. webpack), import
// this file first (before any code that potentially violates the
// content security policy):
import './path/to/trusted-security-policies';
// example:
import DOMPurify from 'dompurify';
if (window.trustedTypes && window.trustedTypes.createPolicy) { // Feature testing
window.trustedTypes.createPolicy('default', {
createHTML: (string) => DOMPurify.sanitize(string, {RETURN_TRUSTED_TYPE: true}),
createScriptURL: string => string, // warning: this is unsafe!
createScript: string => string, // warning: this is unsafe!
});
}
// What this does:
//
// Whenever a string is assigned to be parsed as HTML, or as a URL, or as a
// script, the browser automatically passes this string through the defined
// handler function.
// For HTML, the HTML is being sanitized from potential XSS code by the
// DOMPurify library.
// For scriptURL and script, the string is just passed through. Please note
// that this effectively disables security for these two parts and should
// only be used for as long as you haven't identified how to make these
// strings safe yourself. As soon as you have that, replace the handler
// functions accordingly.