| CARVIEW |
Select Language
HTTP/2 200
x-content-type-options: nosniff
cache-control: public, max-age=3600
via: 1.1 google, 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
x-cloud-trace-context: 2b7473b0ae3d78ecd15e990f452df0f4
server: Google Frontend
last-modified: Fri, 26 Dec 2025 01:04:48 GMT
referrer-policy: strict-origin-when-cross-origin
origin-trial: AxVILwizhbMjxFeHOn1P3R8niO1RJY/smaK4B4d1rLzc1gTaxtXMSaTi+FoigYgCw40uFRDwFcEAeqDR+vVLOW4AAABfeyJvcmlnaW4iOiJodHRwczovL2RldmVsb3Blci5tb3ppbGxhLm9yZyIsImZlYXR1cmUiOiJQcml2YXRlQXR0cmlidXRpb25WMiIsImV4cGlyeSI6MTc0MjA3OTYwMH0=
content-type: text/html
etag: "a38627e77da595df573ba3b64c415e10"
strict-transport-security: max-age=63072000
expires: Fri, 26 Dec 2025 04:18:41 GMT
x-goog-meta-goog-reserved-file-mtime: 1766709763
x-goog-storage-class: STANDARD
x-frame-options: DENY
x-goog-metageneration: 1
x-goog-hash: crc32c=6wcvzg==, md5=o4Yn532lld9XO6O2TEFeEA==
x-guploader-uploadid: AHVrFxO_I8fftFh2HbPtHRtozj3bx7K07-v5LDDQP26pX0ads4GlHUxnFcEvWhcaxd-3GkBIP2o3fkQ
x-goog-stored-content-encoding: identity
content-security-policy: default-src 'self'; script-src 'report-sample' 'self' 'wasm-unsafe-eval' https://www.google-analytics.com/analytics.js https://*.googletagmanager.com assets.codepen.io production-assets.codepen.io https://js.stripe.com 'sha256-XNBp89FG76amD8BqrJzyflxOF9PaWPqPqvJfKZPCv7M=' 'sha256-YCNoU9DNiinACbd8n6UPyB/8vj0kXvhkOni9/06SuYw=' 'sha256-PZjP7OR6mBEtnvXIZfCZ5PuOlxoDF1LDZL8aj8c42rw='; script-src-elem 'report-sample' 'self' 'wasm-unsafe-eval' https://www.google-analytics.com/analytics.js https://*.googletagmanager.com assets.codepen.io production-assets.codepen.io https://js.stripe.com 'sha256-XNBp89FG76amD8BqrJzyflxOF9PaWPqPqvJfKZPCv7M=' 'sha256-YCNoU9DNiinACbd8n6UPyB/8vj0kXvhkOni9/06SuYw=' 'sha256-PZjP7OR6mBEtnvXIZfCZ5PuOlxoDF1LDZL8aj8c42rw='; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' developer.allizom.org bcd.developer.allizom.org bcd.developer.mozilla.org updates.developer.allizom.org updates.developer.mozilla.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://incoming.telemetry.mozilla.org https://observatory-api.mdn.allizom.net https://observatory-api.mdn.mozilla.net https://api.github.com/search/issues stats.g.doubleclick.net https://api.stripe.com; font-src 'self'; frame-src 'self' mdn.github.io *.mdnplay.dev *.mdnyalp.dev *.play.test.mdn.allizom.net https://v2.scrimba.com https://scrimba.com jsfiddle.net www.youtube-nocookie.com codepen.io survey.alchemer.com https://js.stripe.com; img-src 'self' data: *.githubusercontent.com *.googleusercontent.com *.gravatar.com mozillausercontent.com firefoxusercontent.com profile.stage.mozaws.net profile.accounts.firefox.com developer.mozilla.org mdn.dev wikipedia.org upload.wikimedia.org https://mdn.github.io/shared-assets/ https://mdn.dev/ https://*.google-analytics.com https://*.googletagmanager.com www.gstatic.com; manifest-src 'self'; media-src 'self' archive.org videos.cdn.mozilla.net https://mdn.github.io/shared-assets/; child-src 'self'; worker-src 'self';
x-goog-generation: 1766711088479372
x-goog-stored-content-length: 139326
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Fri, 26 Dec 2025 04:51:18 GMT
x-served-by: cache-bfi-krnt7300021-BFI, cache-bfi-krnt7300100-BFI, cache-sin-wsat1880096-SIN, cache-bom-vanm7210024-BOM
x-cache: MISS, MISS, HIT, MISS
x-cache-hits: 0, 0, 0, 0
x-timer: S1766724678.598445,VS0,VE440
vary: Accept-Encoding
content-length: 18904
TrustedHTML - Web APIs | MDN
TrustedHTML
Limited availability
This feature is not Baseline because it does not work in some of the most widely-used browsers.
Note: This feature is available in Web Workers.
The TrustedHTML interface of the Trusted Types API represents a string that a developer can insert into an injection sink that will render it as HTML. These objects are created via TrustedTypePolicy.createHTML() and therefore have no constructor.
The value of a TrustedHTML object is set when the object is created and cannot be changed by JavaScript as there is no setter exposed.
Instance methods
TrustedHTML.toJSON()-
Returns a JSON representation of the stored data.
TrustedHTML.toString()-
A string containing the sanitized HTML.
Examples
In the below example we create a policy that will create TrustedHTML objects using TrustedTypePolicyFactory.createPolicy(). We can then use TrustedTypePolicy.createHTML() to create a sanitized HTML string to be inserted into the document.
The sanitized value can then be used with Element.innerHTML to ensure that no new HTML elements can be injected.
html
<div id="myDiv"></div>
js
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
createHTML: (string) => string.replace(/</g, "<"),
});
let el = document.getElementById("myDiv");
const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");
console.log(escaped instanceof TrustedHTML); // true
el.innerHTML = escaped;
Specifications
| Specification |
|---|
| Trusted Types # trusted-html |