Fix trusted HTML logic and update exports

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.3] - 2026-01-05
+
+### Fixed
+- Fix bad logic in the `trustedTypes` / tagged template / `trusted-html.js` implementation
+
 ## [v1.0.2] - 2026-01-05
 
 ### Added

html.js

@@ -1,4 +1,4 @@
-export const HTML_UNSAFE_PATTERN = /[<>"']|&(?![a-zA-Z\d]{2,5};|#\d{1,3};)/g;
+export const HTML_UNSAFE_PATTERN = /[<>"']|&(?![a-zA-Z\d]{2,40};|#\d{1,6};)/g;
 /* eslint no-control-regex: "off" */
 export const ATTR_NAME_UNSAFE_PATTERN = /[\u0000-\u001f\u007f-\u009f\s"'\\/=><&]/g;
 export const HTML_REPLACEMENTS = Object.freeze({

http.config.js

@@ -7,7 +7,7 @@ addScriptSrc(
 	'https://unpkg.com/@shgysk8zer0/',
 );
 
-addTrustedTypePolicy('aegis-sanitizer#html', 'default');
+addTrustedTypePolicy('aegis-sanitizer#html', 'aegis-escape#html');
 
 export default {
 	routes: {

index.js

@@ -1,3 +1,3 @@
-export { HTML_UNSAFE_PATTERN, ATTR_NAME_UNSAFE_PATTERN, HTML_REPLACEMENTS, escapeHTML, escapeAttrName, stringifyAttr } from './html.js';
-export { createPolicy } from './trusted-html.js';
+export { HTML_UNSAFE_PATTERN, ATTR_NAME_UNSAFE_PATTERN, HTML_REPLACEMENTS, escapeHTML, escapeAttrName, stringifyAttr, html } from './html.js';
+export { html as trustedHTML } from './trusted-html.js';
 export { escapeCSS } from './css.js';

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aegisjsproject/escape",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "String escaping utilities for HTML and DOM attributes.",
   "keywords": [
     "security",

trusted-html.js

@@ -1,37 +1,40 @@
 import { escapeHTML } from './html.js';
 
 const SUPPORTS_TRUSTED_TYPES = 'trustedTypes' in globalThis;
-const isTrustedHTML = SUPPORTS_TRUSTED_TYPES ? globalThis.trustedTypes.isHTML : () => false;
+const POLICY_NAME = 'aegis-escape#html';
+const TRUSTED_SYMBOL = Symbol(POLICY_NAME);
 
-function createHTML(strings, ...values) {
+const isTrustedHTML = SUPPORTS_TRUSTED_TYPES
+	? input => globalThis.trustedTypes.isHTML(input)
+	: input => typeof input === 'object' ? Object.hasOwn(input ?? {}, TRUSTED_SYMBOL) : false;
+
+const policy = SUPPORTS_TRUSTED_TYPES
+	? globalThis.trustedTypes.createPolicy(POLICY_NAME, { createHTML: input => input })
+	: Object.freeze({
+		name: POLICY_NAME,
+		createHTML(input) {
+			const obj = {
+				toString() {
+					return input;
+				}
+			};
+
+			Object.defineProperty(obj, TRUSTED_SYMBOL, {
+				value: true,
+				enumerable: false,
+				writable: false,
+			});
+
+			return Object.freeze(obj);
+		}
+	});
+
+export function html(strings, ...values) {
 	if (! Array.isArray(strings) || ! Array.isArray(strings.raw)) {
-		return Array.isArray(strings)
-			? strings.map(escapeHTML).join('')
-			: escapeHTML(strings);
+		return policy.createHTML(Array.isArray(strings)
+			? strings.map(input => isTrustedHTML(input) ? input : escapeHTML(input)).join('')
+			: escapeHTML(strings));
 	} else {
-		return String.raw(strings, ...values.map(val => isTrustedHTML(val) ? val : escapeHTML(val)));
+		return policy.createHTML(String.raw(strings, ...values.map(val => isTrustedHTML(val) ? val : escapeHTML(val))));
 	}
 }
-
-/**
- * Creates a Trusted Types policy (or a compliant fallback) for sanitizing HTML.
- * The returned policy's `createHTML` method is overloaded to handle both direct string arguments
- * and tagged template literals.
- *
- * @param {string} [name="aegis-escape#html"] - The policy name. Must match your CSP `trusted-types` directive.
- * @returns {TrustedTypePolicy} A native Policy object or a frozen fallback matching the interface.
- *
- * @example
- * const policy = createPolicy();
- *
- * // 1. As a regular method:
- * policy.createHTML('<div>Hello</div>');
- *
- * // 2. As a tagged template:
- * policy.createHTML`<div>${userContent}</div>`;
- */
-export function createPolicy(name = 'aegis-escape#html') {
-	return SUPPORTS_TRUSTED_TYPES
-		? globalThis.trustedTypes.createPolicy(name, { createHTML })
-		: Object.freeze({ name, createHTML });
-}

trusted-html.test.js

@@ -1,30 +1,26 @@
 import assert from 'node:assert';
 import { describe, test } from 'node:test';
-import { createPolicy } from './trusted-html.js';
-
-const policy = createPolicy('default');
-const html = policy.createHTML;
+import { html } from './trusted-html.js';
 
 describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
-
 	test('Tag Usage: escapes unsafe values', () => {
 		const unsafe = '<img src=x onerror=alert(1)>';
 		const result = html`<div>${unsafe}</div>`;
 
-		assert.strictEqual(result, '<div>&lt;img src=x onerror=alert(1)&gt;</div>');
+		assert.strictEqual(result.toString(), '<div>&lt;img src=x onerror=alert(1)&gt;</div>');
 	});
 
 	test('Direct Usage: escapes input string', () => {
 		const result = html('<script>alert(1)</script>');
-		assert.strictEqual(result, '&lt;script&gt;alert(1)&lt;/script&gt;');
+		assert.strictEqual(result.toString(), '&lt;script&gt;alert(1)&lt;/script&gt;');
 	});
 
 	test('Array Usage: joins and escapes list items', () => {
 		// Essential to ensure arrays are not stringified with commas
 		const items = ['<br>', '<b>bold</b>'];
 		const result = html`Items: ${items}`;
 
-		assert.strictEqual(result, 'Items: &lt;br&gt;,&lt;b&gt;bold&lt;/b&gt;');
+		assert.strictEqual(result.toString(), 'Items: &lt;br&gt;,&lt;b&gt;bold&lt;/b&gt;');
 	});
 
 	test('Security: enforces Double Escaping in fallback mode', () => {
@@ -39,12 +35,6 @@ describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
 		const outer = html`<div>${inner}</div>`;
 		// outer sees a string, so it escapes it: "<div>&lt;span&gt;Safe&lt;/span&gt;</div>"
 
-		assert.strictEqual(outer, '<div>&lt;span&gt;Safe&lt;/span&gt;</div>');
-	});
-
-	test('Interface: returns a policy-like object', () => {
-		// Ensures the return value matches the TrustedTypePolicy interface shape
-		assert.strictEqual(typeof policy.createHTML, 'function');
-		assert.strictEqual(policy.name, 'default');
+		assert.strictEqual(outer.toString(), '<div><span>Safe</span></div>');
 	});
 });