{"id":21754636,"url":"https://github.com/aegisjsproject/trusted-types","last_synced_at":"2025-06-23T03:33:04.206Z","repository":{"id":230992992,"uuid":"780553598","full_name":"AegisJSProject/trusted-types","owner":"AegisJSProject","description":"A polyfill for the Trusted Types API","archived":false,"fork":false,"pushed_at":"2025-06-06T18:24:38.000Z","size":998,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-11T20:37:26.383Z","etag":null,"topics":["aegis","polyfill","security","trusted-types"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/@aegisjsproject/trusted-types","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AegisJSProject.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"shgysk8zer0","liberapay":"shgysk8zer0"}},"created_at":"2024-04-01T18:04:57.000Z","updated_at":"2025-06-06T18:24:38.000Z","dependencies_parsed_at":"2024-11-09T00:17:04.196Z","dependency_job_id":"dcf73ca8-e421-4f40-9cbc-10e520dad62b","html_url":"https://github.com/AegisJSProject/trusted-types","commit_stats":null,"previous_names":["aegisjsproject/trusted-types"],"tags_count":3,"template":false,"template_full_name":"shgysk8zer0/npm-template","purl":"pkg:github/AegisJSProject/trusted-types","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Ftrusted-types","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Ftrusted-types/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Ftrusted-types/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Ftrusted-types/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AegisJSProject","download_url":"https://codeload.github.com/AegisJSProject/trusted-types/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AegisJSProject%2Ftrusted-types/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261404888,"owners_count":23153480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aegis","polyfill","security","trusted-types"],"created_at":"2024-11-26T09:14:33.245Z","updated_at":"2025-06-23T03:32:59.185Z","avatar_url":"https://github.com/AegisJSProject.png","language":"JavaScript","funding_links":["https://github.com/sponsors/shgysk8zer0","https://liberapay.com/shgysk8zer0","https://liberapay.com/shgysk8zer0/donate"],"categories":[],"sub_categories":[],"readme":"# @aegisjsproject/trusted-types\n\nA polyfill for the [Trusted Types API](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API)\n\n[![CodeQL](https://github.com/AegisJSProject/trusted-types/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/AegisJSProject/trusted-types/actions/workflows/codeql-analysis.yml)\n![Node CI](https://github.com/AegisJSProject/trusted-types/workflows/Node%20CI/badge.svg)\n![Lint Code Base](https://github.com/AegisJSProject/trusted-types/workflows/Lint%20Code%20Base/badge.svg)\n\n[![GitHub license](https://img.shields.io/github/license/AegisJSProject/trusted-types.svg)](https://github.com/AegisJSProject/trusted-types/blob/master/LICENSE)\n[![GitHub last commit](https://img.shields.io/github/last-commit/AegisJSProject/trusted-types.svg)](https://github.com/AegisJSProject/trusted-types/commits/master)\n[![GitHub release](https://img.shields.io/github/release/AegisJSProject/trusted-types?logo=github)](https://github.com/AegisJSProject/trusted-types/releases)\n[![GitHub Sponsors](https://img.shields.io/github/sponsors/shgysk8zer0?logo=github)](https://github.com/sponsors/shgysk8zer0)\n\n[![npm](https://img.shields.io/npm/v/@aegisjsproject/trusted-types)](https://www.npmjs.com/package/@aegisjsproject/trusted-types)\n![node-current](https://img.shields.io/node/v/@aegisjsproject/trusted-types)\n![npm bundle size gzipped](https://img.shields.io/bundlephobia/minzip/@aegisjsproject/trusted-types)\n[![npm](https://img.shields.io/npm/dw/@aegisjsproject/trusted-types?logo=npm)](https://www.npmjs.com/package/@aegisjsproject/trusted-types)\n\n[![GitHub followers](https://img.shields.io/github/followers/AegisJSProject.svg?style=social)](https://github.com/AegisJSProoject)\n![GitHub forks](https://img.shields.io/github/forks/AegisJSProject/trusted-types.svg?style=social)\n![GitHub stars](https://img.shields.io/github/stars/AegisJSProject/trusted-types.svg?style=social)\n[![Twitter Follow](https://img.shields.io/twitter/follow/shgysk8zer0.svg?style=social)](https://twitter.com/shgysk8zer0)\n\n[![Donate using Liberapay](https://img.shields.io/liberapay/receives/shgysk8zer0.svg?logo=liberapay)](https://liberapay.com/shgysk8zer0/donate \"Donate using Liberapay\")\n- - -\n\n- [Code of Conduct](./.github/CODE_OF_CONDUCT.md)\n- [Contributing](./.github/CONTRIBUTING.md)\n\u003c!-- - [Security Policy](./.github/SECURITY.md) --\u003e\n\n## [Concepts and Usage](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage)\n\nClient-side, or DOM-based, XSS attacks happen when data controlled by a user\n(such as that input into a form field) reaches a function that can execute that\ndata. These functions are known as injection sinks. DOM-based XSS attacks happen\nwhen a user is able to write arbitrary JavaScript code and have it executed by one\nof these functions.\n\nThe Trusted Types API locks down risky injection sinks, requiring you to process\nthe data before passing it to one of these functions. If you use a string, then\nthe browser will throw a TypeError and prevent the use of the function.\n\nTrusted Types works alongside [Content-Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)\nwith the [`trusted-types`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types)\nand [`require-trusted-types-for`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for)\ndirectives.\n\n### [Injection Sinks](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API#injection_sinks)\n\nThe Trusted Types API locks down injection sinks that can act as a vector for DOM-XSS\nattacks. An injection sink is any Web API function that should only be called\nwith trusted, validated or sanitized input. Examples of injection sinks include:\n\n- Functions that insert HTML into the document such as Element.innerHTML, Element.outerHTML, or Document.write.\n- Functions that create a new same-origin Document with caller-controlled markup such as DOMParser.parseFromString.\n- Functions that execute code such as Global_Objects/eval.\n- Setters for Element attributes that accept a URL of code to load or execute.\n\nTrusted Types will force you to process the data before passing it to any\ninjection sink rather than use a string. This ensures that the data is trustworthy.\n\n\u003e [!IMPORTANT]\n\u003e Since the document cannot directly access HTTP headers, this polyfill requires\n\u003e either `\u003cmeta http-equiv=\"Content-Security-Policy\"\u003e` or a `data-trusted-policies`\n\u003e attribute to be set on `\u003chtml\u003e`.\n\nThe Trusted Types API gives web developers a way to lock down the insecure parts\nof the DOM API to prevent client-side Cross-site scripting (XSS) attacks.\n\n## Included Scripts/Modules\n- **`trusted-types`**: Polyfills the `globalThis.trustedTypes`  object\n- **`harden`**: Overwrites \"injection sink\" property \u0026 attribute setters\n- **`bundle`**: Loads polyfill and conditionally \"harden\"s\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faegisjsproject%2Ftrusted-types","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faegisjsproject%2Ftrusted-types","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faegisjsproject%2Ftrusted-types/lists"}