Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL? #534

Open
mbrodesser-Igalia opened this issue Jul 11, 2024 · 2 comments
Open

Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL? #534

mbrodesser-Igalia opened this issue Jul 11, 2024 · 2 comments
Milestone
v1

Comments

@mbrodesser-Igalia
Copy link
Collaborator

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 1 currently specifies
"If input has type expectedType". What does that mean? It seems isHTML (https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-ishtml) / isScript / isScriptURL should be invoked.

The callers of "Get Trusted Type compliant string", e.g.someElement.insertAdjacentHTML (https://html.spec.whatwg.org/#dom-parsing-and-serialization:dom-element-insertadjacenthtml) don't check that either so it should be checked somewhere.
@mbrodesser-Igalia mbrodesser-Igalia changed the title Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL/`? Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL/? Jul 11, 2024
@mbrodesser-Igalia mbrodesser-Igalia changed the title Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL/? Should "Get Trusted Type compliant string" check isHTML/isScript/isScriptURL? Jul 11, 2024
@mbrodesser-Igalia mbrodesser-Igalia added this to the v1 milestone Jul 11, 2024
koto added a commit to koto/trusted-types that referenced this issue Oct 31, 2024
@koto
Replace 'has type' with less confusing 'is an instance of'.
e09da26 
See w3c#534.
@koto koto mentioned this issue Oct 31, 2024
Merged
@koto
Copy link
Member

koto commented Oct 31, 2024

#559 should clarify the language, I think. The is* functions should not be called there directly, as they can be replaced by user's code, but IIUC the stringification behavior, which is defined for each Trusted Type should correctly extract the value, so the prose looks OK here without having to refer to the object internals? (see also #541 (comment)).

cc @petervanderbeken @smaug---- if there's a better way to write this up.

koto added a commit that referenced this issue Nov 5, 2024
@koto
Replace 'has type' with less confusing 'is an instance of'. (#559)
72ecd2c 
See #534.
@mbrodesser-Igalia
Copy link
Collaborator Author

#559 should clarify the language, I think.

Not sure, see #559 (comment).

The is* functions should not be called there directly, as they can be replaced by user's code,

Correct.

but IIUC the stringification behavior, which is defined for each Trusted Type should correctly extract the value,
so the prose looks OK here without having to refer to the object internals? (see also #541 (comment)).

cc @petervanderbeken @smaug---- if there's a better way to write this up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1
Development

No branches or pull requests
2 participants
@koto @mbrodesser-Igalia