no-trusted-types-policy-pass-through
Disallow Trusted Types policies that return unvalidated input unchanged.
Targeted pattern scopeโ
This rule targets trustedTypes.createPolicy(...) calls whose createHTML,
createScript, or createScriptURL callbacks simply return the first input
parameter unchanged.
What this rule reportsโ
This rule reports pass-through Trusted Types policy factories such as
createHTML: (value) => value.
Why this rule existsโ
Trusted Types policies are supposed to narrow unsafe string flows. Pass-through policies defeat that goal by rebranding untrusted input as trusted output without any sanitization or validation.
โ Incorrectโ
trustedTypes.createPolicy("default", {
createHTML: (value) => value,
});
โ Correctโ
trustedTypes.createPolicy("default", {
createHTML: (value) => sanitize(value),
});
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-trusted-types-policy-pass-through": "error",
},
},
];
When not to use itโ
Disable only if your Trusted Types policy wraps a reviewed validation layer that this rule cannot observe and the pass-through shape is intentional.
Package documentationโ
Further readingโ
Rule catalog ID: R052