http://gwt-code-reviews.appspot.com/771801/diff/11002/15007
File
user/src/com/google/gwt/safehtml/shared/OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml.java
(right):
http://gwt-code-reviews.appspot.com/771801/diff/11002/15007#newcode26
user/src/com/google/gwt/safehtml/shared/OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml.java:26:
public class OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml
On 2010/08/20 19:43:33, jat wrote:
Can this just be a subclass of SafeHtmlString?
Decided to leave as-is now.
http://gwt-code-reviews.appspot.com/771801/diff/11002/15007#newcode38
user/src/com/google/gwt/safehtml/shared/OnlyToBeUsedInGeneratedCodeStringBlessedAsSafeHtml.java:38:
if (html == null) {
On 2010/08/20 21:29:31, tbroyer wrote:
Shouldn't this check be done in the ctor?
Moreover, equals and hashCode might throw an NPE.
(same applies to SafeHtmlString as it's a copy of this class)
Done.
http://gwt-code-reviews.appspot.com/771801/diff/11002/15008
File user/src/com/google/gwt/safehtml/shared/SafeHtml.java (right):
http://gwt-code-reviews.appspot.com/771801/diff/11002/15008#newcode25
user/src/com/google/gwt/safehtml/shared/SafeHtml.java:25: * Note on
usage: SafeHtml should be used to ensure text coming from the server
On 2010/08/20 21:29:31, tbroyer wrote:
I thought this note would rather go on HtmlSanitizer than SafeHtml.
Additionally, the note says "SafeHtml should not be used to sanitize
input";
isn't it also designed for displaying user input in an HTML context
(i.e. escape
user input so it's displayed as "plain text", or maybe use
HtmlSanitizer to
display it as "sanitized HTML"; as an example, text entered in a
search box
displayed on the search results in a sentence such as "Search results
for
<b>{user input}</b>"). Shouldn't the note rather say that it's not
intended for
sanitizing user input *before sending it to the server*, i.e. hinting
that the
*server* should sanitize the input?
The original wording was definitely poor... I have reworded it to make
the usage clear (i.e., don't use this to clean text heading to the
server.) I wanted the note to go in SafeHtml to help naive users, so
I've put it in both SafeHtml and HtmlSanitizer.
http://gwt-code-reviews.appspot.com/771801/diff/11002/15011
File user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java (right):
http://gwt-code-reviews.appspot.com/771801/diff/11002/15011#newcode79
user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java:79: * Test 1,
complex escaping, 22/391 chars needed to be replaced.
On 2010/08/20 19:43:33, jat wrote:
On 2010/08/20 18:37:52, rice wrote:
> Probably don't need to include timings in the source permanently.
I agree, especially since they don't include machine details that
would be
relevant. I suggest just state the options you tested and the
conclusion rather
than including the timings here.
Done.
http://gwt-code-reviews.appspot.com/771801/diff/11002/15011#newcode79
user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java:79: * Test 1,
complex escaping, 22/391 chars needed to be replaced.
On 2010/08/20 18:37:52, rice wrote:
Probably don't need to include timings in the source permanently.
Done.
http://gwt-code-reviews.appspot.com/771801/diff/11002/15013
File user/src/com/google/gwt/safehtml/shared/UriUtils.java (right):
http://gwt-code-reviews.appspot.com/771801/diff/11002/15013#newcode66
user/src/com/google/gwt/safehtml/shared/UriUtils.java:66: return (scheme
== null || "http".equalsIgnoreCase(scheme)
On 2010/08/20 19:43:33, jat wrote:
Rather than equalsIgnoreCase, which is going to wind up converting to
lowercase
multiple times, why not convert it to lowercase once and just do
equals? We
don't have fully correct casing in the browser (and to do it right you
would
need java.text.Collator anyway), and those are implemented the same
way just
more efficiently.
Also, I was incorrect when we talked before about the Turkish locale
--
toLowerCase("I") will return the dotless i (U+0131). As we discussed,
toUpperCase won't solve it either, as that will map "i" to a dotted
capital i
(U+130).
So an ugly hack would be to also compare to "ma\u0131lto" (or just
type it in
the source) as well as the others after calling toLowerCase(). Not
sure we can
do better on the client given the state of Unicode support in JS.
Done using the following:
("mailto".equals(scheme.toLowerCase()) ||
"MAILTO".equals(scheme.toUpperCase()))
http://gwt-code-reviews.appspot.com/771801/show
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
