On 2011/03/29 20:38:29, xtof wrote:
> > - Implement the public Image(String url,...) constructors in > terms of the Image(SafeUri url, ...) ones, using > fromUntrustedString. > > I'm really not sure about that last one, as the getUrl would > still have to be a String for backwards compat', and the > DOM-level accesses are all String-based too. > I see. Since ClippedState is strictly internal, it probably doesn't make a big difference. I think for the time being it would also be fine to leave as it is currently, but replace fromTrustedString with fromUntrustedString and add some comments about what's going on. Just to avoid the impression that the code guarantees something that it really can't guarantee.
Thinking a bit more about it, how about keeping the use of fromTrustedString, not introducing fromUntrustedString, and instead just documenting that we're using fromTrustedString here for backwards compatibility only, and cannot guarantee the URL safety? ...and adding docs to all the String-based (public) methods about the caller having to care about security and either sanitize the URI or use the SafeUri-based overload? (note however that no such doc was added to setHTML when setSafeHtml was introduced) http://gwt-code-reviews.appspot.com/1380806/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
