Update docs

Author: rzhade3

README.md

@@ -245,3 +245,30 @@ render(html`<div>${until(request, timeout, loading)}</div>`)
 // ^ renders <div>Loading...</div>
 // After 2000ms will render <div>Failed to load</div>
 ```
+
+### CSP Trusted Types
+
+You can call `setCSPTrustedTypesPolicy(policy: TrustedTypePolicy | Promise<TrustedTypePolicy> | null)` from JavaScript to set a [CSP trusted types policy](https://web.dev/trusted-types/), which can perform (synchronous) filtering or rejection of the rendered template:
+
+```ts
+import {setCspTrustedTypePolicy} from "@github/jtml";
+import DOMPurify from "dompurify"; // Using https://github.com/cure53/DOMPurify
+
+// This policy removes all HTML markup except links.
+const policy = trustedTypes.createPolicy("links-only", {
+  createHTML: (htmlText: string) => {
+    return DOMPurify.sanitize(htmlText, {
+      ALLOWED_TAGS: ["a"],
+      ALLOWED_ATTR: ["href"],
+      RETURN_TRUSTED_TYPE: true,
+    });
+  },
+});
+setCSPTrustedTypesPolicy(policy);
+```
+
+Note that:
+
+- Only a single policy can be set, shared by all `render` and `unsafeHTML` calls.
+- You should call `setCSPTrustedTypesPolicy()` ahead of any other call of `@github/jtml` in your code.
+- Not all browsers [support the trusted types API in JavaScript](https://caniuse.com/mdn-api_trustedtypes). You may want to use the [recommended tinyfill](https://github.com/w3c/trusted-types#tinyfill) to construct a policy without causing issues in other browsers.