Skip to content

feat: support TrustedHTML in {@html} expressions#17701

Merged
Rich-Harris merged 1 commit intomainfrom
html-trusted-types
Feb 18, 2026
Merged

feat: support TrustedHTML in {@html} expressions#17701
Rich-Harris merged 1 commit intomainfrom
html-trusted-types

Conversation

@Rich-Harris
Copy link
Member

@Rich-Harris Rich-Harris commented Feb 13, 2026
edited
Loading

Follow-up to #16271.

Summary

  • Allow {@html} blocks to accept TrustedHTML objects (from TrustedTypes policies) without coercing them to strings
  • This enables usage like {@html myPolicy.createHTML(someHTML)}
  • Works in regular HTML, SVG, and MathML contexts

Changes

  • html.js: Instead of calling create_fragment_from_html, create the wrapper element directly (<template>, <svg>, or <math> depending on context) and assign the value to innerHTML. This preserves TrustedHTML objects.
  • reconciler.js: Removed the trusted parameter from create_fragment_from_html since it's no longer used by {@html} and all remaining callers want trusted HTML.
  • template.js and snippet.js: Removed the second argument from create_fragment_from_html calls.

Notes

No tests added because JSDOM doesn't implement TrustedTypes.

@changeset-bot
Copy link

changeset-bot bot commented Feb 13, 2026

🦋 Changeset detected

Latest commit: 981156b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Contributor

github-actions bot commented Feb 13, 2026

Playground

pnpm add https://pkg.pr.new/svelte@17701

@7nik
Copy link
Contributor

7nik commented Feb 13, 2026
edited
Loading

Btw, I believe these lines need trustifiing as well

svelte/packages/svelte/src/internal/client/dom/template.js

Lines 288 to 292 in 220b526

for (var attribute of script.attributes) {
clone.setAttribute(attribute.name, attribute.value);
}
clone.textContent = script.textContent;

svelte/packages/svelte/src/internal/client/dom/elements/customizable-select.js

Line 17 in 220b526

select.innerHTML = '<option><span>t</span></option>';

Edit: also, guess fragment_from_tree will fail assembling both inline-script and script with src.

@Rich-Harris
Copy link
Member Author

Rich-Harris commented Feb 13, 2026

Ah yep good catch. Those should probably go in a separate PR since it's separate to the {@html} stuff

dummdidumm
dummdidumm approved these changes Feb 18, 2026
View reviewed changes
Copy link
Member

@dummdidumm dummdidumm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code looks good. Is this referencing any issue or PR? Description references none

@Rich-Harris
Copy link
Member Author

Rich-Harris commented Feb 18, 2026

ah yep, is a follow-up to #16271. Have updated the PR description

@Rich-Harris Rich-Harris mentioned this pull request Feb 18, 2026
Merged
6 tasks
@Rich-Harris
Copy link
Member Author

Rich-Harris commented Feb 18, 2026

opened #17743 for #17701 (comment). Assigning textContent doesn't require trusted types (at least, AFAICT). It doesn't address the fragment_from_tree stuff, that can happen separately since it affects a different set of users

@Rich-Harris Rich-Harris merged commit be24b0d into main Feb 18, 2026
20 checks passed
@Rich-Harris Rich-Harris deleted the html-trusted-types branch February 18, 2026 20:54
@github-actions github-actions bot mentioned this pull request Feb 18, 2026
Merged
Rich-Harris pushed a commit that referenced this pull request Feb 18, 2026
@github-actions
Version Packages (#17742)
cbf4e24 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## svelte@5.52.0

### Minor Changes

- feat: support TrustedHTML in `{@html}` expressions
([#17701](#17701))

### Patch Changes

- fix: repair dynamic component truthy/falsy hydration mismatches
([#17737](#17737))

- fix: re-run non-render-bound deriveds on the server
([#17674](#17674))

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
dummdidumm pushed a commit that referenced this pull request Feb 18, 2026
@Rich-Harris
fix: use TrustedHTML to test for customizable <select> support, where…
696d97f 
… necessary (#17743)

#17701 (comment)

no test because jsdom
@soerenmeier soerenmeier mentioned this pull request Feb 18, 2026
Open
@7nik
Copy link
Contributor

7nik commented Feb 19, 2026
edited
Loading

Assigning textContent doesn't require trusted types (at least, AFAICT).

Seems it requires in case of <script>.
HTMLScriptElement.textContent and HTMLScriptElement.src (plus .setAttribute("src", ...)) are listed as injection sinks.
Also: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API#indirect_injection_sinks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Rich-Harris @7nik @dummdidumm