http://gwt-code-reviews.appspot.com/771801/diff/11002/15007 File user/src/com/google/gwt/safehtml/shared/OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml.java (right):
http://gwt-code-reviews.appspot.com/771801/diff/11002/15007#newcode38 user/src/com/google/gwt/safehtml/shared/OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml.java:38: if (html == null) { Shouldn't this check be done in the ctor? Moreover, equals and hashCode might throw an NPE. (same applies to SafeHtmlString as it's a copy of this class) http://gwt-code-reviews.appspot.com/771801/diff/11002/15008 File user/src/com/google/gwt/safehtml/shared/SafeHtml.java (right): http://gwt-code-reviews.appspot.com/771801/diff/11002/15008#newcode25 user/src/com/google/gwt/safehtml/shared/SafeHtml.java:25: * Note on usage: SafeHtml should be used to ensure text coming from the server I thought this note would rather go on HtmlSanitizer than SafeHtml. Additionally, the note says "SafeHtml should not be used to sanitize input"; isn't it also designed for displaying user input in an HTML context (i.e. escape user input so it's displayed as "plain text", or maybe use HtmlSanitizer to display it as "sanitized HTML"; as an example, text entered in a search box displayed on the search results in a sentence such as "Search results for <b>{user input}</b>"). Shouldn't the note rather say that it's not intended for sanitizing user input *before sending it to the server*, i.e. hinting that the *server* should sanitize the input? http://gwt-code-reviews.appspot.com/771801/show -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
