Implementation
@Input()
set safeInnerHtml(safeInnerHtml) {
if (safeInnerHtml is SafeHtml) {
_element.setInnerHtml(
safeInnerHtml.changingThisWillBypassSecurityTrust,
treeSanitizer: NodeTreeSanitizer.trusted,
);
} else if (safeInnerHtml == null) {
_element.setInnerHtml('');
} else {
// A regular string is not allowed since a security audit needs to be able
// to search for SafeHtml and identify all locations where we are
// bypassing sanitization. This also enforces SafeHtml usage at the
// origin instead of passing a primitive string through layers
// of code which could introduce mutations making security auditing
// hard.
throw UnsupportedError('SafeHtml required (got $safeInnerHtml)');
}
}
