Skip to content

Element.innerHTML - add info trusted types #40423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Element.innerHTML - add info trusted types #40423

wants to merge 2 commits into from
+195 −142

Conversation

hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented Jul 18, 2025
edited
Loading

This updates the following properties to explain how they are used with TrustedTypes:

This is in progress:

  • Add boilerplate
  • Add TT information, including the new exception and tinyfill
  • Restructured - this isn't to current templates. Need to move the guid-ish stuff either down as examples or up into description

This does not mention the sanitizer methods as alternatives since the setHTML() is not implemented anywhere, and the sanitizer in setHTMLUnsafe() is not yet implemented. We're in separate discussion on those and when they are in a release we can revisit.

Part of #37518 (tracking issue)

@github-actions github-actions bot added Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed labels Jul 18, 2025
github-actions[bot]
github-actions bot reviewed Jul 18, 2025
View reviewed changes
hamishwillee
hamishwillee commented Jul 18, 2025
View reviewed changes
files/en-us/web/api/element/innerhtml/index.md
@@ -79,15 +153,6 @@ document.documentElement.innerHTML = `<pre>${document.documentElement.innerHTML.
)}</pre>`;
```

#### Operational details
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting I guess. But it doesn't actually matter. If it did/does it should be in the description part.

@hamishwillee hamishwillee mentioned this pull request Jul 18, 2025
Open
11 tasks
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 18, 2025
edited
Loading

Preview URLs

External URLs (3)

URL: /en-US/docs/Web/API/Element/innerHTML
Title: Element: innerHTML property

URL: /en-US/docs/Web/API/Element/insertAdjacentHTML
Title: Element: insertAdjacentHTML() method

(comment last updated: 2025-07-21 07:07:10)

hamishwillee
hamishwillee commented Jul 20, 2025
View reviewed changes
@hamishwillee hamishwillee force-pushed the element-innerhtml_tt branch from 24677d9 to cfaddcf Compare July 21, 2025 05:20
@hamishwillee hamishwillee marked this pull request as ready for review July 21, 2025 05:22
@hamishwillee hamishwillee requested a review from a team as a code owner July 21, 2025 05:22
@hamishwillee hamishwillee requested review from sideshowbarker and wbamberg and removed request for a team July 21, 2025 05:22
@hamishwillee
Copy link
Collaborator Author

FYI @lukewarlow @wbamberg - this is the trusted types update for Element.innerHTML. Luke, I've taken on board your comments about sanitizer not yet being implemented. I still mention the setHTMLUnsafe() because it allows set with shadow roots, but not as alternatives with sanitization. It should however be possible to graft that information on here quite easily.

All the examples use trustedHTML. This also shows the first live example use of the tinyfill in the docs. This is duplication with the main docs, but it feels very practical to me given the current state of trustedtypes.

@sideshowbarker sideshowbarker removed their request for review July 21, 2025 06:06
hamishwillee
hamishwillee commented Jul 21, 2025
View reviewed changes
files/en-us/web/api/element/insertadjacenthtml/index.md
@@ -105,15 +119,35 @@ code {

#### JavaScript

```js hidden
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decided to hide the tinyfill in this case. Do you think it should be here. Or perhaps a note "if trusted types not supported you should add a tinyfill".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@wbamberg wbamberg Awaiting requested review from wbamberg

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hamishwillee