Safe Pug Templates (Pug Trusted Types Plugin)

![Build Status](https://travis-ci.org/mikesamuel/pug-plugin-trusted-types)
![Dependencies Status](https://david-dm.org/mikesamuel/pug-plugin-trusted-types)
![npm](https://www.npmjs.com/package/pug-plugin-trusted-types)
![Coverage Status](https://coveralls.io/github/mikesamuel/pug-plugin-trusted-types?branch=master)
![Install Size](https://packagephobia.now.sh/result?p=pug-plugin-trusted-types)
![Known Vulnerabilities](https://snyk.io/test/github/mikesamuel/pug-plugin-trusted-types?targetFile=package.json)

Hooks into Pug to add
Trusted Types checks to key attributes
to reduce the risk of XSS.

* Usage
* Webpack integration via pug-loader
* Requiring Templates
* Inline Templates
* Pre-compiled or manually compiled Templates
* Before
* After
* Double checking expressions
* Automagic
* CSRF (Cross-Site Request Forgery) Protection
* Configuring with csrf-crypto
* Content-Security-Policy
* Plugin Configuration
* csrfInputName
* csrfInputValueExpression
* nonceValueExpression
* report(message)

This plugin focuses on checking URLs, to prevent, e.g. arbitrary strings from reaching `

If your HTTP response has a header like the below then those CSS and JavaScript will load, but ones lacking thenonce attribute will not.

`Content-Security-Policy: default-src 'nonce-7QgTXZjEaat5wrC8JAn0FsBq'`

`Plugin Configuration`

Pug doesn't provide a way to directly configure plugins, but this plugin takes into account

`js ({ filtersOptions: { trustedTypes: { report() { // ... } } } })`

`$3`

A value for an attribute that is automatically added to

 elements to protect against Cross-Site Request Forgery
(CSRF).

Defaults to csrfToken.

`$3`

A string containing a JavaScript expression for the value corresponding to thecsrfInputName.

Defaults to null. If null, then s have no hidden input added.

`$3`

A string containing a JavaScript expression for the value of nonceattribute automatically added topug-plugin-trusted-types - npm explorer