public final class SafeHtmlUtils
extends java.lang.Object
Modifier and Type | Field and Description |
---|---|
static SafeHtml |
EMPTY_SAFE_HTML
An empty String.
|
Modifier and Type | Method and Description |
---|---|
static SafeHtml |
fromSafeConstant(java.lang.String s)
Returns a
SafeHtml constructed from a safe string, i.e., without escaping
the string. |
static SafeHtml |
fromString(java.lang.String s)
Returns a
SafeHtml containing the escaped string. |
static SafeHtml |
fromTrustedString(java.lang.String s)
Returns a
SafeHtml constructed from a trusted string, i.e., without
escaping the string. |
static java.lang.String |
htmlEscape(char c)
HTML-escapes a character.
|
static java.lang.String |
htmlEscape(java.lang.String s)
HTML-escapes a string.
|
static java.lang.String |
htmlEscapeAllowEntities(java.lang.String text)
HTML-escapes a string, but does not double-escape HTML-entities already
present in the string.
|
public static final SafeHtml EMPTY_SAFE_HTML
public static SafeHtml fromSafeConstant(java.lang.String s)
SafeHtml
constructed from a safe string, i.e., without escaping
the string.
Important: For this method to be able to honor the SafeHtml
contract, all uses of this method must satisfy the following constraints:
<a>
tag is incomplete:
shb.appendHtmlConstant("<a href='").append(url)
The first constraint provides a sufficient condition that the argument (and
any HTML markup contained in it) originates from a trusted source. The
second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server-side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
SafeHtmlHostedModeUtils.maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in
Production Mode on the client, and with assertions disabled on the server.
public static SafeHtml fromString(java.lang.String s)
SafeHtml
containing the escaped string.s
- the input StringSafeHtml
instancepublic static SafeHtml fromTrustedString(java.lang.String s)
SafeHtml
constructed from a trusted string, i.e., without
escaping the string. No checks are performed. The calling code should be
carefully reviewed to ensure the argument meets the SafeHtml
contract.s
- the input StringSafeHtml
instancepublic static java.lang.String htmlEscape(char c)
& - & < - < > - > " - " ' - '
c
- the character to be escapedpublic static java.lang.String htmlEscape(java.lang.String s)
Note: The following variants of this function were profiled on FF40, Chrome44, Safari 8 and IE11:
For all browsers #4 was found to be the fastest, and is used below.
The only out-lier was firefox with #6 being the optimal option, but #6 performs considerably worse in all other browsers.
s
- the string to be escapedpublic static java.lang.String htmlEscapeAllowEntities(java.lang.String text)
text
- the string to be escaped