lit-html is now part of the Lit library–see the new site at lit.dev. This site documents lit-html 1.0, no longer the current version.

lit-html 1.3.0

See the changelog for a complete list of changes.

Trusted Types

Trusted Types helps eliminate cross-site scripting (XSS) attacks by limiting the ability to use unsafe DOM APIs, like innerHTML. When Trusted Types is enabled, unsafe APIs disallow use with easily user-controlled types like strings, and instead require values be one of a small set of trusted types, like TrustedHTML, that can only be created by a Trusted Type policy.

This prevents application code from accidentally passing unsanitized user-controlled values directly to unsafe APIs and makes it easier to review security sensitive code that uses the Trusted Type policies.

lit-html 1.3.0 is compatible with Trusted Types. lit-html was already very XSS-resistant because it treats string data (as opposed to template strings) as text content, not unsafe HTML, but it does have to pass the HTML from template strings to unsafe APIs like innerHTML. lit-html now does this via a Trusted Type policy if the policy API exists.

Trusted Types shipped in Chrome 83, and is enabled via Content Security Policy. You can (and should!) enable Trusted Types for additional XSS protection on Chrome, and other browsers when they ship Trusted Types.

"type": "module"

We've added the "type" field in package.json, set to "module". This is the standard way to indicate that the .js files in an npm package are standard JavaScript modules. Node only supports this field and not the previous community initiated methods for this. We've kept the existing "module" field, since some tools do not yet support the "type" field.

Export shadyTemplateFactory

The folks at open-wc.org have an interesting extension to lit-html that emulates scoped custom element definitions. They had to copy the shady-render module though, because shadyTemplateFactory wasn't exported. We now export it to save some bytes when using that library.

Please note that we will likely remove template factories in a future major version of lit-html, so we don't recommend using this API. Open-wc is investigating another approach for their use case.