http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java File user/src/com/google/gwt/safecss/shared/SafeCssProperties.java (right):
http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java#newcode46 user/src/com/google/gwt/safecss/shared/SafeCssProperties.java:46: * By convention, {@link SafeCssProperties} should only contain single quotes Since SafeHtmlTemplates has been changed to HTML-escape the value of style attributes, perhaps it might avoid some confusion to remove the suggestion about the quotes. It wouldn't hurt to instead remind users that SafeCssProperties strings may contain literal single or double quotes, and as such the entire CSS must be HTML escaped when used in a style attribute. One thing that is important to require is that SafeCssProperties may never contain literal angle brackets. Otherwise, it could be unsafe to place a SafeCssProperties into a <style> tag (where it can't be HTML escaped), e.g. if the SafeCssProperties such as font: 'foo </style><script>evil</script>' is used in a style sheet in a <style> tag; this could then break out of the style context into HTML. http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java File user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java (right): http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java#newcode185 user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java:185: // escaping it. Perhaps remove the "without escaping it" since it is now escaped after all? http://gwt-code-reviews.appspot.com/1384801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
