Have Trusted Types API built directly into the jQuery Core Files

The latest version of jQuery V3.4.1 has 5 innerHTML() which are not sanitized by default. Does the jQuery team plan on addressing these DOM XSS things in the near future with regards to the new Trusted Types API see here: https://github.com/WICG/trusted-types

[mgol]

Thanks for the report. What would you expect jQuery to do here?

[mgol]

Note, though, that jQuery doesn't support experimental APIs as they may change and then we're left with obsolete code. It's fine to experiment & think of the approaches but we'd wait with landing any actual code in the library for the spec to stabilize & to be implemented in at least 2 major browser engines.

[dmethvin]

Yeah, this is a tough one. The team has discussed it for years and had issues determining how to make things safer without seriously redesigning the API. Most of our HTML goes through jQuery.parseHTML() and jQuery.htmlPrefilter() so it is currently possible to try and sanitize through that. There's the one fast path for .html(string) that assigns directly to .innerHTML but that already goes through the prefilter and could just be taken out if needed. The others are Sizzle feature checks for browsers we won't support in 4.0 anyway.

Perhaps we could recognize a Trusted Type and pass it through as if were HTML, but not actually do any manipulation with it, e.g. $("div").append(someTrustedType). (As an aside, I would hope that a Trusted Type doesn't return an HTML representation when you call .toString() on it.)

Seems like they've taken old browsers into account with a simple polyfill that just returns strings if the browser doesn't support Trusted Types.

But given where the implementations are at, it is probably too early to add any code.

I will add an extra comment as you added a 'needs info' label. I totally understand that the Trusted Types API is right now in a trial. I thought maybe this issue could be dealt with in your future updates like in V4.0.0 and by then the API would have changed from a trial / draft spec to a more stable spec.

When I did a quick play around with Trusted Types API and jQuery V3.4.1 I got the following results:

DomPurifer have added this API see here for further details: https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types

I can't really say anymore and leave this issue open to other people to comment and add extra info and ideas.

I feel it would be a good feature request for jQuery in the near future and decided to open this issue in that regard. We all know about this problem for a long time, but a full solution has never been added yet.

[mgol]

I added it to the 4.0.0 milestone so that we don’t forget about it when we get closer to the release.

[timmywil]

I'm in favor of this. We'll keep an eye on the spec status and revisit later.

[mgol]

angular/angular.js#17028 has some code that I'd like to backport to jQuery, at least to the master branch. It might be hard to do on the 3.x line as IE 9 needs the existing approach so we'd have to fork logic, increasing the size significantly which we usually try to avoid.