If you're writing a template for a view, use
This method flags a string as trusted HTML.
sanitizing the markup contained in the string, or
acknowledging that the string is authorized to run any code that may be contained within it.
Note that browsers ignore
<script> tags that have been inserted into the DOM via innerHTML. They do this because once the element is ready (and thus, has an accessible
innerHTML property), their rendering engines cannot backtrack to the parsing-stage if the script calls something like
For this reason,
m.trust will not auto-run
<script> tags from trusted strings.
Browsers do, however, allow scripts to be run asynchronously via a number of execution points, such as the
onerror attributes in
<style> tags and
It's worth noting that the execution points listed above are commonly used for security attacks in combination with malformed markup, e.g. strings with mismatched attribute quotes like
Mithril templates are defended against these attacks by default, except when markup is injected via
It is the developer's responsibility to ensure the input to
m.trust cannot be maliciously modified by user-entered data.
//assume this content comes from the server var content = "<h1>Error: invalid user</h1>"; m.render("body", [ m("div", m.trust(content)) ]);
<body> <div> <h1>Error: invalid user</h1> </div> </body>
String trust(String html)
A string containing HTML markup
returns String trustedHtml
The returned string is a String object instance (as opposed to a string primitive) containing the same HTML content, and exposing a flag property for internal use within Mithril. Do not create or manipulate trust flags manually.
Also note that concatenating or splitting a trusted string removes the trust flag. If doing such operations, the final string needs to be flagged as trusted.