From c59a7e0f71a494541a7ef1a2f0f97710762608fb Mon Sep 17 00:00:00 2001 From: Ty Mick Date: Thu, 28 May 2020 13:31:57 -0400 Subject: [PATCH] Add trusted types policy --- packages/next/client/page-loader.js | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/packages/next/client/page-loader.js b/packages/next/client/page-loader.js index aef09e8b3cb19..165123d3851a0 100644 --- a/packages/next/client/page-loader.js +++ b/packages/next/client/page-loader.js @@ -5,6 +5,19 @@ import { getRouteMatcher } from './../next-server/lib/router/utils/route-matcher import { getRouteRegex } from './../next-server/lib/router/utils/route-regex' import { delBasePath } from './../next-server/lib/router/router' +let trustedTypesPolicy = undefined +if (window?.trustedTypes?.createPolicy) { + trustedTypesPolicy = window.trustedTypes.createPolicy('next-trusted-types', { + // Needs security review regarding DOM XSS + createHTML(dirty) { + return dirty.replace(/ { const error = new Error(`Error loading script ${url}`) error.code = 'PAGE_LOAD_ERROR'