Support sanitization of attributes that require Trusted Types

Author: tosmolka

src/purify.js

@@ -55,6 +55,9 @@ const _createTrustedTypesPolicy = function (trustedTypes, document) {
       createHTML(html) {
         return html;
       },
+      createScriptURL(scriptUrl) {
+        return scriptUrl;
+      },
     });
   } catch (_) {
     // Policy creation failed (most likely another DOMPurify script has
@@ -1202,6 +1205,28 @@ function createDOMPurify(window = getGlobal()) {
         continue;
       }
 
+      /* Handle attributes that require Trusted Types */
+      if (
+        trustedTypesPolicy &&
+        typeof trustedTypes === 'object' &&
+        typeof trustedTypes.getAttributeType === 'function'
+      ) {
+        if (namespaceURI) {
+          /* Namespaces are not yet supported, see https://bugs.chromium.org/p/chromium/issues/detail?id=1305293 */
+        } else {
+          switch (trustedTypes.getAttributeType(lcTag, lcName)) {
+            case 'TrustedHTML':
+              value = trustedTypesPolicy.createHTML(value);
+              break;
+            case 'TrustedScriptURL':
+              value = trustedTypesPolicy.createScriptURL(value);
+              break;
+            default:
+              break;
+          }
+        }
+      }
+
       /* Handle invalid data-* attribute set by try-catching it */
       try {
         if (namespaceURI) {