myHotTake

Tag: DOM security

  • How Do Trusted Types Prevent DOM-Based XSS Attacks?

    If you find this story engaging, feel free to like or share it!


    I’m sitting in a classroom with a pile of essays in front of me. My role? To ensure that each essay is free from errors before it goes to the principal. Armed with my trusty red pen, I become the guardian of accuracy, ensuring nothing harmful sneaks through. This red pen is my “Trusted Types policy.”

    In the world of JavaScript, I’ve learned that Trusted Types play a similar role. the web page as the principal who can only accept error-free essays. My red pen, or the Trusted Types policy, scrutinizes every piece of content meant for the DOM, ensuring it doesn’t include anything malicious, like a sneaky piece of code trying to execute an unwanted script. This is how we prevent DOM-based XSS attacks.

    As I scan each page, I make sure every detail aligns with the rules I’ve set. Only content marked with my red pen can make it through. If something’s amiss, it goes back for correction—never reaching the principal. This meticulous process ensures that the web page remains secure and free from harmful scripts.

    Like my role in the classroom, Trusted Types serve as a vigilant red pen in the digital world, correcting potential errors and protecting the integrity of web applications. Through this process, we ensure a safe and secure environment for users, just as I ensure clean, error-free essays for the principal.


    First, I need to set up a policy. Think of this as defining the rules for what “correct” content looks like—just like deciding which errors my red pen will mark. Here’s a simple example:

    // Setting up a Trusted Types policy
    const myPolicy = trustedTypes.createPolicy('myPolicy', {
      createHTML: (input) => {
        // Here, I review the input and decide if it's safe
        if (input.includes('<script>')) {
          throw new Error('Script tags are not allowed!');
        }
        return input;
      }
    });

    In this policy, I ensure that no <script> tags sneak through, similar to catching spelling mistakes in essays. Now, let’s see how I apply this policy when adding content to the DOM:

    // Usage of the policy when setting innerHTML
    const content = '<div>Safe Content</div>'; // Content to be checked
    document.getElementById('myElement').innerHTML = myPolicy.createHTML(content);

    With this, I’m ensuring that only content reviewed by my “red pen” policy is trusted to be added to the DOM. If the content is safe, it passes through; if not, it gets sent back for correction.

    Key Takeaways:

    1. Trusted Types as Guardians: Just like my red pen catches errors in essays, Trusted Types policies prevent untrusted content from entering the DOM, thus mitigating DOM-based XSS vulnerabilities.
    2. Defining Policies: Creating a Trusted Types policy involves setting rules to screen content for potential threats, much like setting grammatical rules for essays.
    3. Practical Application: By using these policies, developers can ensure only vetted content is added to their web pages, enhancing security and maintaining the integrity of their applications.