Trusted Types API - Web APIs | MDN (original) (raw)

Limited availability

Note: This feature is available in Web Workers.

The Trusted Types API gives web developers a way to ensure that input has been passed through a user-specified transformation function before being passed to an API that might execute that input. This can help to protect against client-side cross-site scripting (XSS) attacks. Most commonly the transformation function sanitizes the input.

Concepts and usage

Client-side, or DOM-based, XSS attacks happen when data crafted by an attacker is passed to a browser API that executes that data as code. These APIs are known as injection sinks.

The Trusted Types API distinguishes three sorts of injection sinks:

• HTML sinks: APIs that interpret their input as HTML, such as Element.innerHTML or document.write(). These APIs could execute JavaScript if it is embedded in the HTML, for example in