On 2010/08/17 23:23:39, xtof wrote:
On 2010/08/17 23:05:06, tbroyer wrote:
>
> Looking at the code more closely it would merely "fail" by overly
> rejecting tags that are whitelisted: i.e. "<b foo=<i>should be
> bold" would be sanitized to "<b foo=<i>should be bold" and the
> end part would be italicized instead of bold.
And that is exactly correct behavior for this class as document. It
only claims to accept HTML with attribute-free tags within the
whitelist. It doesn't claim to do anything particularly sensible
with input that doesn't fit this constraint; it does however claim
that whatever it outputs is safe (will not result in XSS/script
execution).
Oops, yes, sorry, I can't tell how it happened but I misread the
"whitelisting" code (matches the whole thing between '<' and '>', so any
attribute, or even whitespace, as in "<b >bold</b>", would make it fail
and thus be escaped).
It's fine then. Sorry again for the noise.
Still, there's a small issue with the fact that
SafeHtmlTemplatesGenerator doesn't use the HTML5 serialization algorithm
(or any similar one): @Template("<br/>") will result in "<br></br>"
which is interpreted by browsers as "<br><br>" [1], which makes it
impossible to generate a single "line break" in a SafeHtmlTemplates.
[1] http://www.w3.org/TR/html5/tokenization.html#parsing-main-inbody
(search for « An end tag whose tag name is "br" », it's there for
"compat with the Web")
http://gwt-code-reviews.appspot.com/771801/show
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
