W3cubDocs

/Web APIs

TrustedHTML

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Note: This feature is available in Web Workers.

The TrustedHTML interface of the Trusted Types API represents a string that a developer can insert into an injection sink that will render it as HTML. These objects are created via TrustedTypePolicy.createHTML() and therefore have no constructor.

The value of a TrustedHTML object is set when the object is created and cannot be changed by JavaScript as there is no setter exposed.

Instance methods

TrustedHTML.toJSON()

Returns a JSON representation of the stored data.

TrustedHTML.toString()

A string containing the sanitized HTML.

Examples

In the below example we create a policy that will create TrustedHTML objects using TrustedTypePolicyFactory.createPolicy(). We can then use TrustedTypePolicy.createHTML() to create a sanitized HTML string to be inserted into the document.

The sanitized value can then be used with Element.innerHTML to ensure that no new HTML elements can be injected.

<div id="myDiv"></div>

const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/</g, "&lt;"),
});

let el = document.getElementById("myDiv");
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(escaped instanceof TrustedHTML); // true
el.innerHTML = escaped;

Specifications

Specification
Trusted Types>
# trusted-html>

Browser compatibility

Desktop Mobile
Chrome Edge Firefox Opera Safari Chrome Android Firefox for Android Opera Android Safari on IOS Samsung Internet WebView Android WebView on iOS
TrustedHTML 83 83 No 69 26 83 No 59 26 13.0 83 26
toJSON 90 90 No 76 26 90 No 64 26 15.0 90 26
toString 83 83 No 69 26 83 No 59 26 13.0 83 26

See also

© 2005–2025 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/TrustedHTML