Update: Cross Site Scripting Prevention Cheat Sheet (XSS) - Add Trusted Types

[rugk]

What is missing or needs to be updated?

Trusted types seem to be a modern way/approach to finally getting rid of such XSS vulnerabilities and preventing them.
It#s not mentioned (yet) at all, in the cheat sheet.

I'd point to that doc about how it works etc., but one can:

• enforce it in a browser that will throw TypeErrors for potentially insecure operations, then refactor that accordingly
• there is a polyfill including a tiny (more or less NOOP) one, that, however, the refactoring to this API itself provides the needed protection:

  This is because the enforcement forces you to refactor your code to ensure that all data is passed through the Trusted Types API (and therefore has been through a sanitization function) before being passed to an injection sink.

So it seems actionable now, even when support has not (yet) fully rolled out.

More details also here: https://github.com/w3c/trusted-types/tree/main

How should this be resolved?

Suggest to use Trusted Types where possible. My ideas:

1. Suggest to enforce it for a test.
2. Then refactor the code according to the trusted types, so they work.
3. Suggest an appropriate polyfill for production (until browser support is not mainstream enough) - I am myself not sure, which one, but maybe even the TinyPolyfill would be enough? The main aspect is the refactoring, after all?

[jmanico]

Would you mind making a new cheatsheet on this topic and link to it from the XSS cheatsheet?

I really prefer many smaller cheatsheets so they are easier to digest.

[mackowski]

I also think Trusted Types can have separate cheatsheet