Element.innerHTML - add info trusted types

[hamishwillee]

This updates the following properties to explain how they are used with TrustedTypes:

• Element.innerHTML
• Element.insertAdjacentHTML()

This is in progress:

• Add boilerplate
• Add TT information, including the new exception and tinyfill
• Restructured - this isn't to current templates. Need to move the guid-ish stuff either down as examples or up into description

This does not mention the sanitizer methods as alternatives since the setHTML() is not implemented anywhere, and the sanitizer in setHTMLUnsafe() is not yet implemented. We're in separate discussion on those and when they are in a release we can revisit.

Part of #37518 (tracking issue)

[hamishwillee]

This is interesting I guess. But it doesn't actually matter. If it did/does it should be in the description part.

[github-actions]

Preview URLs

• /en-US/docs/Web/API/Element/innerHTML
• /en-US/docs/Web/API/Element/insertAdjacentHTML

External URLs (3)

URL: /en-US/docs/Web/API/Element/innerHTML
Title: Element: innerHTML property

• https://github.com/cure53/DOMPurify (1 time) (Note! This may be a new URL 👀)
• https://research.securitum.com/dompurify-bypass-using-mxss/ (1 time) (Note! This may be a new URL 👀)

---

URL: /en-US/docs/Web/API/Element/insertAdjacentHTML
Title: Element: insertAdjacentHTML() method

• https://hacks.mozilla.org/2011/11/insertadjacenthtml-enables-faster-html-snippet-injection/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-07-21 07:07:10)

[hamishwillee]

FYI @lukewarlow @wbamberg - this is the trusted types update for Element.innerHTML. Luke, I've taken on board your comments about sanitizer not yet being implemented. I still mention the setHTMLUnsafe() because it allows set with shadow roots, but not as alternatives with sanitization. It should however be possible to graft that information on here quite easily.

All the examples use trustedHTML. This also shows the first live example use of the tinyfill in the docs. This is duplication with the main docs, but it feels very practical to me given the current state of trustedtypes.

[hamishwillee]

Decided to hide the tinyfill in this case. Do you think it should be here. Or perhaps a note "if trusted types not supported you should add a tinyfill".

[wbamberg]

Just comments on innerHTML for now.

[wbamberg]

I think it might help some of the other discussion to be clearer about the types that this property can accept. As it stands, especially the "Setting the value" para starts with what it does, not what types it accepts, which turns out to be important of course for when we want to talk about trusted types.

Maybe something like:

Suggested change

	Getting the property returns a string containing the HTML serialization of the element's descendants.
	Setting the value of `innerHTML` removes all of the element's descendants and replaces them with nodes constructed by parsing the HTML given in the assigned {{domxref("TrustedHTML")}} or string.
	Getting the property returns a string containing the HTML serialization of the element's descendants.
	Setting the property accepts either a {{domxref("TrustedHTML")}} object or a string. It parses this value as HTML and replaces all the element's descendants with the result.

[wbamberg]

Maybe better in the security section, where it is mentioned? Anyway, seems a poor fit for "Value".

[wbamberg]

Also doesn't seem a good fit for "Value", and is already covered in "Description".

[wbamberg]

Because this is about a very distinct aspect of innerHTML, I would have these two paragraphs under an H3 like "Shadow DOM considerations" or something, and move it after the para about "Note that some browsers...".

You might also consider moving "Note that some browsers..." into "Security considerations", maybe.

[wbamberg]

This is unclear. Which of the following sections demonstrate this? As a reader I want a direct link to a concrete example of this.

[wbamberg]

Suggested change

	Next create a {{domxref("TrustedTypePolicy")}} that defines a {{domxref("TrustedTypePolicy/createHTML", "createHTML()")}} for transforming an input string into {{domxref("TrustedHTML")}} instances.
	Next we create a {{domxref("TrustedTypePolicy")}} that defines a {{domxref("TrustedTypePolicy/createHTML", "createHTML()")}} for transforming an input string into {{domxref("TrustedHTML")}} instances.

Very pedantic, but this started "first we" so perhaps "next we" afterwards? Just "next" implicitly changes it from first-person to second.

[wbamberg]

Suggested change

	Then use this `policy` object to create a `TrustedHTML` object from the potentially unsafe input string, and assign the result to the element:
	Then we use this `policy` object to create a `TrustedHTML` object from the potentially unsafe input string, and assign the result to the element:

[wbamberg]

Is this supposed to be assigning to textContent?

[wbamberg]

I'm not sure we should encourage this. AIUI, if we don't enforce the use of trusted types, we lose a lot of the protection they offer (because you don't know any more whether somewhere in your codebase you might be unsafe).

So I would omit this.

[wbamberg]

Is this example worth keeping? Is this a pattern we want to encourage, versus explicitly creating the DOM elements to put in the log?

and I also wonder, is it a good idea to recommend people to define a no-op TT policy? To what extent does that open up a hole in the whole thing?