Why assigning Trusted Types to dangerous sinks still causes compilation error?
shhnjk opened this issue · comments
I'm using DOMPurify with types, and it returns TrustedHTML
when RETURN_TRUSTED_TYPE
option is provided.
https://github.com/DefinitelyTyped/DefinitelyTyped/blob/f6dad85222741e22707bb30d39caf58e80843f9c/types/dompurify/index.d.ts#L24
While using DOMPurify works with innerHTML
, it doesn't work with DOMParser
's parseFromString
.
import { sanitize } from 'dompurify';
const template = document.createElement('template');
template.innerHTML = sanitize('test', { RETURN_TRUSTED_TYPE: true }) as unknown as string; // no tsec error
const parser = new DOMParser();
parser.parseFromString(sanitize('test', { RETURN_TRUSTED_TYPE: true }) as unknown as string, 'text/html');
// TS21228: [ban-domparser-parsefromstring] Using DOMParser#parseFromString to parse untrusted input into DOM elements can lead to XSS.
Why are there differences in Trusted Types usage behavior?
Because parseFromString
itself doesn't return a Trusted Type. It returns a DOM node.
Could you describe your use case with more details?
Because
parseFromString
itself doesn't return a Trusted Type. It returns a DOM node.
Well, I'm talking about difference in behavior.
Why is assigning TrustedHTML
to innerHTML
doesn't require ban-element-innerhtml-assignments
exemption but it does require ban-domparser-parsefromstring
exemption on parseFromString
?
Because we believe such cases are extremely rare, and analysis regarding function properties is less precise in general. If you have a strong use case for parseFromString
to consume a Trusted Types value, we can consider supporting it.
We are just parsing XML file uploaded by user.
But in that case, can you at least document which sinks won't require exemption when used with Trusted Types? Maybe add a column of Skips exemption with Trusted Types
with Boolean value here?
Yes, I will update the doc.