{"id":26085942,"url":"https://github.com/w3c/webappsec-trusted-types","last_synced_at":"2025-03-09T06:01:55.016Z","repository":{"id":25292000,"uuid":"103660159","full_name":"w3c/trusted-types","owner":"w3c","description":"A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.","archived":false,"fork":false,"pushed_at":"2025-03-04T15:23:01.000Z","size":3820,"stargazers_count":615,"open_issues_count":52,"forks_count":77,"subscribers_count":74,"default_branch":"main","last_synced_at":"2025-03-08T16:11:23.505Z","etag":null,"topics":["dom","javascript","polyfill","security","trusted-types","w3c","xss"],"latest_commit_sha":null,"homepage":"https://w3c.github.io/trusted-types/dist/spec/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/w3c.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-15T13:26:39.000Z","updated_at":"2025-03-04T15:23:05.000Z","dependencies_parsed_at":"2024-12-28T07:00:52.577Z","dependency_job_id":"d4011c7f-d649-4738-8570-a8a3bce940df","html_url":"https://github.com/w3c/trusted-types","commit_stats":{"total_commits":425,"total_committers":34,"mean_commits":12.5,"dds":"0.37411764705882355","last_synced_commit":"38199636c3e19b7bd32bb15069171192055c8beb"},"previous_names":["w3c/webappsec-trusted-types"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w3c%2Ftrusted-types","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w3c%2Ftrusted-types/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w3c%2Ftrusted-types/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w3c%2Ftrusted-types/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/w3c","download_url":"https://codeload.github.com/w3c/trusted-types/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242650949,"owners_count":20163611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dom","javascript","polyfill","security","trusted-types","w3c","xss"],"created_at":"2025-03-09T06:01:38.811Z","updated_at":"2025-03-09T06:01:55.010Z","avatar_url":"https://github.com/w3c.png","language":"JavaScript","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","\u003ca id=\"9f8d3f2c9e46fbe6c25c22285c8226df\"\u003e\u003c/a\u003eBAP"],"sub_categories":["\u003ca id=\"5d7191f01544a12bdaf1315c3e986dff\"\u003e\u003c/a\u003eXSS\u0026\u0026XXE","\u003ca id=\"f10e9553770db6f98e8619dcd74166ef\"\u003e\u003c/a\u003e工具"],"readme":"![npm bundle size](https://img.shields.io/bundlephobia/minzip/trusted-types.svg)\n![Libraries.io dependency status for latest release](https://img.shields.io/librariesio/release/npm/trusted-types.svg)\n![GitHub issues](https://img.shields.io/github/issues/w3c/trusted-types.svg)\n![npm](https://img.shields.io/npm/v/trusted-types.svg)\n[![BrowserStack Status](https://www.browserstack.com/automate/badge.svg?badge_key=eGZQNXU1U09vZjkrZzYzU3YrQ2FsbUpheGczR0VmMTZUSjBydnNjd1pKTT0tLTZPMWVJTnU1UHJvYjFCb0pHQmlsaXc9PQ%3d%3d--295829245abf0dd0cd150f9ca4fe3198da38747b)](https://www.browserstack.com/automate/public-build/eGZQNXU1U09vZjkrZzYzU3YrQ2FsbUpheGczR0VmMTZUSjBydnNjd1pKTT0tLTZPMWVJTnU1UHJvYjFCb0pHQmlsaXc9PQ%3d%3d--295829245abf0dd0cd150f9ca4fe3198da38747b)\n\n# Trusted Types\n\nFirst time here? This is a repository hosting the Trusted Types specification draft and the polyfill code. You might want to check out other resources about Trusted Types:\n\n * [Introduction for web developers](https://web.dev/trusted-types/) - API description with examples.\n * [Explainer](explainer.md) - introductory explainer (what problem is the API solving?).\n * [Specification draft](https://w3c.github.io/trusted-types/dist/spec/) - a more comprehensive and formalized description of the Trusted Types API.\n * [Browser Support](https://caniuse.com/trusted-types) - The API is available natively in browsers based on Chromium version 83 and up. \n\n## Polyfill\n\nThis repository contains a polyfill implementation that allows you to use the API in all web browsers. The compiled versions are stored in [`dist` directory](dist/).\n\n### Browsers\nThe ES5 / ES6 builds can be loaded directly in the browsers. There are two variants of the browser polyfill - **api_only** (light) and **full**. The *api_only* variant defines the API, so you can create policies and types. *Full* version also enables the type enforcement in the DOM, based on the CSP policy it infers from the current document (see [src/polyfill/full.js](src/polyfill/full.js)).\n\n```html\n\u003c!-- API only --\u003e\n\u003cscript src=\"https://w3c.github.io/webappsec-trusted-types/dist/es5/trustedtypes.api_only.build.js\"\u003e\u003c/script\u003e\n\u003cscript\u003e\n     const p = trustedTypes.createPolicy('foo', ...)\n     document.body.innerHTML = p.createHTML('foo'); // works\n     document.body.innerHTML = 'foo'; // but this one works too (no enforcement).\n\u003c/script\u003e\n```\n\n```html\n\u003c!-- Full --\u003e\n\u003cscript src=\"https://w3c.github.io/webappsec-trusted-types/dist/es5/trustedtypes.build.js\" data-csp=\"trusted-types foo bar; require-trusted-types-for 'script'\"\u003e\u003c/script\u003e\n\u003cscript\u003e\n    trustedTypes.createPolicy('foo', ...);\n    trustedTypes.createPolicy('unknown', ...); // throws\n    document.body.innerHTML = 'foo'; // throws\n\u003c/script\u003e\n```\n\n### NodeJS\n\nPolyfill is published as an npm package [trusted-types](https://www.npmjs.com/package/trusted-types):\n\n```sh\n$ npm install trusted-types\n```\n\nThe polyfill supports both CommonJS and ES Modules.\n\n```javascript\nconst tt = require('trusted-types'); // or import { trustedTypes } from 'trusted-types'\ntt.createPolicy(...);\n```\n\n### Tinyfill\n\nDue to the way the API is designed, it's possible to polyfill the most important\nAPI surface (`trustedTypes.createPolicy` function) with the following snippet:\n\n```javascript\nif(typeof trustedTypes == 'undefined')trustedTypes={createPolicy:(n, rules) =\u003e rules};\n```\n\nIt does not enable the enforcement, but allows the creation of policies that\nreturn string values instead of Trusted Types in non-supporting browsers. Since\nthe injection sinks in those browsers accept strings, the values will be accepted\nunless the policy throws an error. This tinyfill code allows most applications\nto work in both Trusted-Type-enforcing and a legacy environment.\n\n## Building\n\nTo build the polyfill yourself (Java required):\n\n```sh\n$ git clone https://github.com/w3c/webappsec-trusted-types/\n$ cd trusted-types\n$ npm install\n$ npm run build\n```\n\n## Demo\nTo see the polyfill in action, visit the [demo page](https://w3c.github.io/trusted-types/demo/).\n\n## Testing\nIt can be tested by running:\n```sh\n$ npm test\n```\nThe polyfill can also be run against the [web platform test suite](https://github.com/w3c/web-platform-tests), but that requires small patches to the suite - see [tests/platform-tests/platform-tests-runner.sh](tests/platform-tests/platform-tests-runner.sh).\n\nCross-browser testing provided by BrowserStack.\n\n\u003ca href=\"https://www.browserstack.com\"\u003e\n  \u003cimg height=\"70\" src=\"assets/browserstack-logo.svg\" alt=\"BrowserStack\"\u003e\n\u003c/a\u003e\n\n# Contributing\n\nSee [CONTRIBUTING](CONTRIBUTING.md).\n\n# Questions?\n\nOur [wiki](https://github.com/w3c/trusted-types/wiki) or the [specification](https://w3c.github.io/trusted-types/dist/spec/) may already contain an answer\nto your question. If not, please [contact us](https://github.com/w3c/trusted-types/wiki/Contact)!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fw3c%2Fwebappsec-trusted-types","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fw3c%2Fwebappsec-trusted-types","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fw3c%2Fwebappsec-trusted-types/lists"}