Skip to content

Commit

Permalink
use trusted types where possible (#1011)
Browse files Browse the repository at this point in the history
* use trusted types where possible

* linting

* add support for trusted types

* remove from module scope

---------

Co-authored-by: Shane Osbourne <sosbourne@duckduckgo.com>
  • Loading branch information
shakyShane and Shane Osbourne authored Aug 6, 2024
1 parent 4ffda90 commit 607d175
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 4 deletions.
13 changes: 13 additions & 0 deletions src/dom-utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,16 @@ function decodeHtml (html) {
txt.innerHTML = html
return txt.value
}

/**
* Use a policy if trustedTypes is available
* @return {{createHTML: (s: string) => any}}
*/
export function createPolicy () {
if (globalThis.trustedTypes) {
return globalThis.trustedTypes?.createPolicy?.('ddg-default', { createHTML: (s) => s })
}
return {
createHTML: (s) => s
}
}
9 changes: 7 additions & 2 deletions src/features/duckplayer/components/ddg-video-overlay.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,15 @@ import dax from '../assets/dax.svg'
import { overlayCopyVariants } from '../text.js'
import { appendImageAsBackground } from '../util.js'
import { VideoOverlay } from '../video-overlay.js'
import { html, trustedUnsafe } from '../../../dom-utils.js'
import { createPolicy, html, trustedUnsafe } from '../../../dom-utils.js'

/**
* The custom element that we use to present our UI elements
* over the YouTube player
*/
export class DDGVideoOverlay extends HTMLElement {
policy = createPolicy()

static CUSTOM_TAG_NAME = 'ddg-video-overlay'
/**
* @param {object} options
Expand Down Expand Up @@ -60,7 +62,7 @@ export class DDGVideoOverlay extends HTMLElement {
const overlayElement = document.createElement('div')
overlayElement.classList.add('ddg-video-player-overlay')
const svgIcon = trustedUnsafe(dax)
overlayElement.innerHTML = html`
const safeString = html`
<div class="ddg-vpo-bg"></div>
<div class="ddg-vpo-content">
<div class="ddg-eyeball">${svgIcon}</div>
Expand All @@ -79,6 +81,9 @@ export class DDGVideoOverlay extends HTMLElement {
</div>
</div>
`.toString()

overlayElement.innerHTML = this.policy.createHTML(safeString)

/**
* Set the link
* @type {string}
Expand Down
7 changes: 5 additions & 2 deletions src/features/duckplayer/icon-overlay.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@ import css from './assets/styles.css'
import { SideEffects, VideoParams } from './util.js'
import dax from './assets/dax.svg'
import { i18n } from './text.js'
import { html, trustedUnsafe } from '../../dom-utils.js'
import { createPolicy, html, trustedUnsafe } from '../../dom-utils.js'

export class IconOverlay {
sideEffects = new SideEffects()
policy = createPolicy()

/** @type {HTMLElement | null} */
element = null
Expand Down Expand Up @@ -36,7 +37,7 @@ export class IconOverlay {
overlayElement.setAttribute('class', 'ddg-overlay' + (extraClass ? ' ' + extraClass : ''))
overlayElement.setAttribute('data-size', size)
const svgIcon = trustedUnsafe(dax)
overlayElement.innerHTML = html`
const safeString = html`
<a class="ddg-play-privately" href="#">
<div class="ddg-dax">
${svgIcon}
Expand All @@ -48,6 +49,8 @@ export class IconOverlay {
</div>
</a>`.toString()

overlayElement.innerHTML = this.policy.createHTML(safeString)

overlayElement.querySelector('a.ddg-play-privately')?.setAttribute('href', href)
return overlayElement
}
Expand Down

0 comments on commit 607d175

Please sign in to comment.