Makes sense, but let's file a follow up issue on that rather than block this patch. On Mar 9, 2011 9:04 AM, <[email protected]> wrote: > This is really great! It pretty much completely removes uibinder out of > the security-relevant codebase. > > > http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java > File > user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java > (right): > > http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java#newcode77 > user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java:77: > return > uiWriter.tokenForSafeHtmlExpression(messages.declareMessage(message)); > Methods in Messages interfaces can themselves be declared to return > SafeHtml > ( http://code.google.com/webtoolkit/doc/latest/DevGuideI18nMessages.html#SafeHtmlMessages ). > > I'm wondering if it would work to change MessageWriter#writeDeclaration > to emit declarations of Messages methods that return SafeHtml rather > than String. And if that's done, would that remove the need to use > tokenForSafeHtmlExpression here (in which case that method could be > deleted altogether)? > > http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java > File user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java > (right): > > http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java#newcode686 > user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java:686: public > String tokenForSafeHtmlExpression(String expression) { > This is the one place where potential HTML unsafety could be introduced > (if this method were called on an expression that is not in fact a safe > constant). The only use in this CL appears to be in > HtmlMessageInterpreter; see a question there if it's possible to avoid > relying on this method. If so, this method could be removed. > > http://gwt-code-reviews.appspot.com/1305801/
-- http://groups.google.com/group/Google-Web-Toolkit-Contributors
