Skip to main content

no-trusted-types-policy-pass-through

Disallow Trusted Types policies that return unvalidated input unchanged.

Targeted pattern scopeโ€‹

This rule targets trustedTypes.createPolicy(...) calls whose createHTML, createScript, or createScriptURL callbacks simply return the first input parameter unchanged.

What this rule reportsโ€‹

This rule reports pass-through Trusted Types policy factories such as createHTML: (value) => value.

Why this rule existsโ€‹

Trusted Types policies are supposed to narrow unsafe string flows. Pass-through policies defeat that goal by rebranding untrusted input as trusted output without any sanitization or validation.

โŒ Incorrectโ€‹

trustedTypes.createPolicy("default", {
createHTML: (value) => value,
});

โœ… Correctโ€‹

trustedTypes.createPolicy("default", {
createHTML: (value) => sanitize(value),
});

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-trusted-types-policy-pass-through": "error",
},
},
];

When not to use itโ€‹

Disable only if your Trusted Types policy wraps a reviewed validation layer that this rule cannot observe and the pass-through shape is intentional.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R052