Use TrustedTypes when setting `innerHTML`
nolanlawson opened this issue · 0 comments
nolanlawson commented
We set innerHTML here:
emoji-picker-element/src/picker/components/Picker/utils.js
Lines 15 to 16 in ddb6aa3
This string is inherently safe because it's authored in this codebase and does not include any user-supplied data. However, if a server has a Trusted Types CSP policy, it would throw an error here.
One strategy Lit uses is to set their own custom TrustedTypes policy: lit/lit#1772
I'm a little hesitant to do this though until the API gains wider browser adoption. It's been Chromium-only for years, and the standards positions from WebKit/Firefox seem inconclusive: WebKit/standards-positions#186 mozilla/standards-positions#20