Trusted Types API for XSS Prevention: Pros and Cons
Trusted Types is one of the few browser security features that actually changes developer behavior in a useful way. I like it because it goes after a common failure mode in front-end code: taking strings from somewhere untrusted and shoving them into dangerous DOM APIs like innerHTML, outerHTML, insertAdjacentHTML, or eval-adjacent sinks. That is exactly how a lot of DOM XSS happens in real apps. The short version: Trusted Types turns dangerous string-based DOM injection into a type-checked operation. Instead of passing raw strings into risky sinks, you pass special objects like TrustedHTML, usually created by a policy that sanitizes or validates the content first. ...