[gwt-contrib] Re: SafeHtml Rendering for UiBinder (issue1305801)

Wed, 09 Mar 2011 09:30:39 -0800 

On Wed, Mar 9, 2011 at 09:17, Ray Ryan <[email protected]> wrote:

> Makes sense, but let's file a follow up issue on that rather than block
> this patch.
>
SGTM.  Sorry for not looking at this earlier :/

>  On Mar 9, 2011 9:04 AM, <[email protected]> wrote:
> > This is really great! It pretty much completely removes uibinder out of
> > the security-relevant codebase.
> >
> >
> >
> http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java
> > File
> >
> user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java
> > (right):
> >
> >
> http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java#newcode77
> >
> user/src/com/google/gwt/uibinder/elementparsers/HtmlMessageInterpreter.java:77:
> > return
> > uiWriter.tokenForSafeHtmlExpression(messages.declareMessage(message));
> > Methods in Messages interfaces can themselves be declared to return
> > SafeHtml
> > (
> http://code.google.com/webtoolkit/doc/latest/DevGuideI18nMessages.html#SafeHtmlMessages
> ).
> >
> > I'm wondering if it would work to change MessageWriter#writeDeclaration
> > to emit declarations of Messages methods that return SafeHtml rather
> > than String. And if that's done, would that remove the need to use
> > tokenForSafeHtmlExpression here (in which case that method could be
> > deleted altogether)?
> >
> >
> http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java
> > File user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java
> > (right):
> >
> >
> http://gwt-code-reviews.appspot.com/1305801/diff/55001/user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java#newcode686
> > user/src/com/google/gwt/uibinder/rebind/UiBinderWriter.java:686: public
> > String tokenForSafeHtmlExpression(String expression) {
> > This is the one place where potential HTML unsafety could be introduced
> > (if this method were called on an expression that is not in fact a safe
> > constant). The only use in this CL appears to be in
> > HtmlMessageInterpreter; see a question there if it's possible to avoid
> > relying on this method. If so, this method could be removed.
> >
> > http://gwt-code-reviews.appspot.com/1305801/
>

-- 
http://groups.google.com/group/Google-Web-Toolkit-Contributors

Reply via email to