<html>
<head>
<title>Trusted Type API Example</title>
<!-- Enabling Trusted Types -->
<meta http-equiv=
"Content-Security-Policy"
content=
"require-trusted-types-for 'script';
trusted-types render-policy"
>
</head>
<body>
<h1>GeeksForGeeks | Trusted Type Example</h1>
<label>The (malicious) data to render:</label> <br>
<textarea id=
"data"
cols=
"50"
rows=
"4"
></textarea> <br><br>
<!-- This button will Not allow textarea Data to
render because it tries to render it without
using trusted type policy -->
<button onclick=
"UnTrusted()"
>
Render UnTrusted Data</button>
<!-- This button will allow textarea data
as it tries to render it by usin
g trusted type policy -->
<button onclick=
"Trusted()"
>
Render Trusted Types Data</button>
<div id=
"result"
></div>
<script>
const initialData = `GeeksForGeeks (it is allowed by trusted
type policy)<img src=
"none"
onerror=
"alert('This data will become code')"
>`;
document.getElementById(
"data"
).value = initialData;
function
UnTrusted() {
let data = document.getElementById(
"data"
).value;
let div = document.getElementById(
"result"
);
div.innerHTML = data;
}
function
Trusted() {
const renderPolicy = trustedTypes
.createPolicy(
'render-policy'
, {
createHTML: (input) => input,
});
let data = document.getElementById(
"data"
).value;
let div = document.getElementById(
"result"
);
div.innerHTML = renderPolicy.createHTML(data);
}
</script>
</body>
</html>