Skip to content

Trusted Types: Element.setAttribute() and setAttributeNS() #42237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hamishwillee wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Trusted Types: Element.setAttribute() and setAttributeNS() #42237

hamishwillee wants to merge 2 commits into from

Conversation

@hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented Dec 5, 2025
edited
Loading

The value argument for Element.setAttribute() and Element.setAttributeNS() can be a source for XSS-attacks for some properties.

This updates the docs for trusted types. Most of the update is in setAttribute() which has the header and a security considerations section. It also adds an example for trusted types. The setAttributeNS() version has the same header but that links to the Non-NS version of security considerations. I also linked in the example section to the other method's TT example.

Related docs work can be tracked in #41507

@hamishwillee hamishwillee requested a review from a team as a code owner December 5, 2025 05:23
@hamishwillee hamishwillee requested review from sideshowbarker and removed request for a team December 5, 2025 05:23
@github-actions github-actions bot added Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed labels Dec 5, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 5, 2025

Preview URLs

Flaws (1)

Note! 1 document with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/API/Element/setAttributeNS
Title: Element: setAttributeNS() method
Flaw count: 1

  • unknown:
    • must be provided
External URLs (2)

URL: /en-US/docs/Web/API/Element/setAttribute
Title: Element: setAttribute() method

hamishwillee
hamishwillee commented Dec 5, 2025
View reviewed changes
files/en-us/web/api/element/setattribute/index.md

In the following example, `setAttribute()` is used to set attributes on a
{{HTMLElement("button")}}.
### Setting safe attributes
Copy link
Collaborator Author

@hamishwillee hamishwillee Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a "non-trusted-types" update to improve the example. The old version updated the name and disabled attributes of a button, and displayed the button - you then had to inspect the button to see that the name attribute had changed.

I updated this to display the name attribute on the button so you don't have to inspect to see the name changed. Further, I added a toggle button so that you can see how you change the disabled property. This made it more clear to me that you can't set the disabled attribute to remove it - you must call removeAttribute. That was not obvious to me.

@hamishwillee hamishwillee mentioned this pull request Dec 5, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sideshowbarker sideshowbarker Awaiting requested review from sideshowbarker sideshowbarker is a code owner automatically assigned from mdn/web-api

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hamishwillee