Revision: 9957
Author: rj...@google.com
Date: Thu Apr 7 08:40:59 2011
Log: Change the default of UiBinder.useSafeHtmlTemplates to false
for gwt 2.3
Review by: sbruba...@google.com
http://code.google.com/p/google-web-toolkit/source/detail?r=9957
Modified:
/releases/2.3/user/src/com/google/gwt/uibinder/UiBinder.gwt.xml
/releases/2.3/user/src/com/google/gwt/uibinder/rebind/UiBinderGenerator.java
=======================================
--- /releases/2.3/user/src/com/google/gwt/uibinder/UiBinder.gwt.xml Thu
Apr 7 03:48:02 2011
+++ /releases/2.3/user/src/com/google/gwt/uibinder/UiBinder.gwt.xml Thu
Apr 7 08:40:59 2011
@@ -23,13 +23,13 @@
<define-configuration-property name="uibinder.html.elementfactory"
is-multi-valued="false"/>
<set-configuration-property name="uibinder.html.elementfactory"
value="com.google.gwt.uibinder.rebind.GwtDomHtmlElementFactory"/>
- <!-- By default UiBinder implementations are generated to use
SafeHtmlTemplates
- to help protect against the introduction of cross-site scripting (XSS)
attacks.
- This deprecated property can be used to disable that integration while
the
- kinks are worked out. Its use is strongly discouraged, and the
property will
- be removed in the near future. -->
- <define-configuration-property name="UiBinder.useSafeHtmlTemplates"
is-multi-valued="false"/>
- <set-configuration-property name="UiBinder.useSafeHtmlTemplates"
value="true"/>
+ <!-- Set this property to true to turn on UiBinder's new
+ SafeHtmlTemplates integration. The default value will be true in
+ future releases of GWT -->
+ <define-configuration-property name="UiBinder.useSafeHtmlTemplates"
+ is-multi-valued="false"/>
+ <set-configuration-property name="UiBinder.useSafeHtmlTemplates"
+ value="false"/>
<generate-with class="com.google.gwt.uibinder.rebind.UiBinderGenerator">
<when-type-assignable class="com.google.gwt.uibinder.client.UiBinder"/>
=======================================
---
/releases/2.3/user/src/com/google/gwt/uibinder/rebind/UiBinderGenerator.java
Thu Apr 7 03:48:02 2011
+++
/releases/2.3/user/src/com/google/gwt/uibinder/rebind/UiBinderGenerator.java
Thu Apr 7 08:40:59 2011
@@ -51,6 +51,8 @@
private static final String ELEMENT_FACTORY_PROPERTY
= "uibinder.html.elementfactory";
private static final String XSS_SAFE_CONFIG_PROPERTY
= "UiBinder.useSafeHtmlTemplates";
+
+ private static boolean xssWarningGiven = false;
/**
* Given a UiBinder interface, return the path to its ui.xml file,
suitable
@@ -218,10 +220,12 @@
Boolean rtn = Boolean.valueOf(value);
- if (!rtn) {
+ if (!rtn && !xssWarningGiven) {
logger.warn("Configuration property %s is false! UiBinder SafeHtml
integration is off, "
- + "leaving your users more vulnerable to cross-site scripting
attacks.",
+ + "leaving your users more vulnerable to cross-site scripting
attacks. This "
+ + "property will default to true in future releases of GWT.",
XSS_SAFE_CONFIG_PROPERTY);
+ xssWarningGiven = true;
}
return rtn;
}
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
