|
GWT 2.7.0 | |||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object com.google.gwt.safehtml.shared.SafeHtmlBuilder
public final class SafeHtmlBuilder
A builder that facilitates the building up of XSS-safe HTML from text
snippets. It is used essentially like a StringBuilder
; unlike a
StringBuilder
, it automatically HTML-escapes appended input where
necessary.
In addition, it supports methods that allow strings with HTML markup to be
appended without escaping: One can append other SafeHtml
objects, and
one can append constant strings. The method that appends constant strings
(appendHtmlConstant(String)
) requires a convention of use to be
adhered to in order for this class to adhere to the contract required by
SafeHtml
: The argument expression must be fully determined and known
to be safe at compile time, and the value of the argument must not contain
incomplete HTML tags. See appendHtmlConstant(String)
for details.
The accumulated XSS-safe HTML can be obtained in the form of a
SafeHtml
via the toSafeHtml()
method.
This class is not thread-safe.
Constructor Summary | |
---|---|
SafeHtmlBuilder()
Constructs an empty SafeHtmlBuilder. |
Method Summary | |
---|---|
SafeHtmlBuilder |
append(boolean b)
Appends the string representation of a boolean. |
SafeHtmlBuilder |
append(byte num)
Appends the string representation of a number. |
SafeHtmlBuilder |
append(char c)
Appends the string representation of a char. |
SafeHtmlBuilder |
append(double num)
Appends the string representation of a number. |
SafeHtmlBuilder |
append(float num)
Appends the string representation of a number. |
SafeHtmlBuilder |
append(int num)
Appends the string representation of a number. |
SafeHtmlBuilder |
append(long num)
Appends the string representation of a number. |
SafeHtmlBuilder |
append(SafeHtml html)
Appends the contents of another SafeHtml object, without applying
HTML-escaping to it. |
SafeHtmlBuilder |
appendEscaped(java.lang.String text)
Appends a string after HTML-escaping it. |
SafeHtmlBuilder |
appendEscapedLines(java.lang.String text)
Appends a string consisting of several newline-separated lines after HTML-escaping it. |
SafeHtmlBuilder |
appendHtmlConstant(java.lang.String html)
Appends a compile-time-constant string, which will not be escaped. |
SafeHtml |
toSafeHtml()
Returns the safe HTML accumulated in the builder as a SafeHtml . |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public SafeHtmlBuilder()
Method Detail |
---|
public SafeHtmlBuilder append(boolean b)
b
- the boolean whose string representation to append
public SafeHtmlBuilder append(byte num)
num
- the number whose string representation to append
public SafeHtmlBuilder append(char c)
c
- the character whose string representation to append
SafeHtmlUtils.htmlEscape(char)
public SafeHtmlBuilder append(double num)
num
- the number whose string representation to append
public SafeHtmlBuilder append(float num)
num
- the number whose string representation to append
public SafeHtmlBuilder append(int num)
num
- the number whose string representation to append
public SafeHtmlBuilder append(long num)
num
- the number whose string representation to append
public SafeHtmlBuilder append(SafeHtml html)
SafeHtml
object, without applying
HTML-escaping to it.
html
- the SafeHtml
to append
public SafeHtmlBuilder appendEscaped(java.lang.String text)
text
- the string to append
SafeHtmlUtils.htmlEscape(String)
public SafeHtmlBuilder appendEscapedLines(java.lang.String text)
<br>
tags.
text
- the string to append
SafeHtmlUtils.htmlEscape(String)
public SafeHtmlBuilder appendHtmlConstant(java.lang.String html)
Important: For this class to be able to honor its contract as
required by SafeHtml
, all uses of this method must satisfy the
following constraints:
<a>
tag is incomplete:
shb.appendHtmlConstant("<a href='").append(url)
The first constraint provides a sufficient condition that the appended
string (and any HTML markup contained in it) originates from a trusted
source. The second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server-side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
SafeHtmlHostedModeUtils.maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in prod mode
on the client, and with assertions disabled on the server.
html
- the HTML snippet to be appended
java.lang.IllegalArgumentException
- if not running in prod mode and html
violates the second constraintpublic SafeHtml toSafeHtml()
SafeHtml
.
|
GWT 2.7.0 | |||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |