Merge pull request #8 from github/fletchto99/fix-trusted-types-for-sc…

…ript-src Fix trusted types for when a script is created from source
github · Mar 21, 2023 · 603b6e0 · 603b6e0
2 parents bcddb3f + 5b9c74b
commit 603b6e0
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 1 deletion.
diff --git a/src/tests/unit/index.ts b/src/tests/unit/index.ts
@@ -1,3 +1,4 @@
 export * from "./export_tests"
 export * from "./deprecated_adapter_support_test"
 export * from "./stream_element_tests"
+export * from "./util_tests"
diff --git a/src/tests/unit/util_tests.ts b/src/tests/unit/util_tests.ts
@@ -0,0 +1,53 @@
+import * as Turbo from "../../index"
+import { DOMTestCase } from "../helpers/dom_test_case"
+import { activateScriptElement } from "../../util"
+
+export class UtilTests extends DOMTestCase {
+  async setup() {
+    Turbo.setCSPTrustedTypesPolicy({
+      createHTML: (_) => "bar",
+      createScript: (_) => "bar",
+      createScriptURL: (_) => "https://bar/",
+    })
+  }
+
+  async teardown() {
+    Turbo.setCSPTrustedTypesPolicy(null)
+  }
+
+  async "test TrustedTypes activates a script with source code"() {
+    const element = document.createElement("script")
+    element.textContent = "foo"
+
+    const activatedElement = activateScriptElement(element)
+    this.assert.equal(activatedElement.textContent, "bar")
+  }
+
+  async "test TyrustedTypes activates a script with source url"() {
+    const element = document.createElement("script")
+    element.src = "https://foo/"
+
+    const activatedElement = activateScriptElement(element)
+    this.assert.equal(activatedElement.src, "https://bar/")
+  }
+
+  async "test activates a script with source code"() {
+    Turbo.setCSPTrustedTypesPolicy(null)
+    const element = document.createElement("script")
+    element.textContent = "foo"
+
+    const activatedElement = activateScriptElement(element)
+    this.assert.equal(activatedElement.textContent, "foo")
+  }
+
+  async "test activates a script with source url"() {
+    Turbo.setCSPTrustedTypesPolicy(null)
+    const element = document.createElement("script")
+    element.src = "https://foo/"
+
+    const activatedElement = activateScriptElement(element)
+    this.assert.equal(activatedElement.src, "https://foo/")
+  }
+}
+
+UtilTests.registerSuite()
diff --git a/src/util.ts b/src/util.ts
@@ -16,7 +16,13 @@ export function activateScriptElement(element: HTMLScriptElement) {
     if (cspNonce) {
       createdScriptElement.nonce = cspNonce
     }
-    createdScriptElement.textContent = element.textContent
+    if (element.textContent !== null) {
+      if (CSPTrustedTypesPolicy !== null) {
+        createdScriptElement.textContent = CSPTrustedTypesPolicy.createScript(element.textContent) as string
+      } else {
+        createdScriptElement.textContent = element.textContent
+      }
+    }
     createdScriptElement.async = false
     copyScriptAttributes(createdScriptElement, element)
     return createdScriptElement