TrustedHTML - Web APIs

TrustedHTML - Web APIs | MDN

Instance methods

TrustedHTML.toJSON(): Returns a JSON representation of the stored data.
TrustedHTML.toString(): A string containing the sanitized HTML.

In the below example we create a policy that will create TrustedHTML objects using TrustedTypePolicyFactory.createPolicy(). We can then use TrustedTypePolicy.createHTML() to create a sanitized HTML string to be inserted into the document.

The sanitized value can then be used with Element.innerHTML to ensure that no new HTML elements can be injected.

html

<div id="myDiv"></div>

const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/</g, "&lt;"),
});

let el = document.getElementById("myDiv");
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(escaped instanceof TrustedHTML); // true
el.innerHTML = escaped;

Specifications

Specification
Trusted Types # trusted-html

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on Mar 10, 2025 by MDN contributors.

Instance methods

Examples

Specifications

Browser compatibility

See also

Help improve MDN