On Mon, Apr 11, 2011 at 17:54, <[email protected]> wrote: > > Note that the CSS spec talks about using '\(', not '\028'. I however > have absolutely no idea how well this is supported by browsers. > > I think I read somewhere that this doesn't work in IE (which seems to interpret \ literally in URLs because windows users keep typing things like http:\\example.com\ into URL bars). I should test this...
> We already have the warning about "SafeUri outside URL-attribute > context", we sure could specialize the message a bit for the CSS > context. I see what you mean. Either way is fine by me ;) > > > > I think you're right; sanitizeUri should %-escape characters not >> > allowed by > >> RFC 3986. Looks like passing the string through >> > > > http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/http/client/URL.html#encode%28java.lang.String%29would > > be sufficient? Anyway, I'll take a TODO item for this. >> > > URL.encode wouldn't preserve existing %-escapes and would replace, e.g. > %28 with %2528. The algorithm should probably be similar to > htmlEscapeAllowEntities (i.e. split on %-escapes and encode the rest). > Also, URL.encode doesn't %-escape single quotes and parentheses. > Got it; yup you're right. > > Finally, URL.encode is "client side only", so an equivalent "pure Java" > algorithm should be written for "the JVM" (that would be less efficient > in the browser). Maybe let's start with a single, shared, algorithm > andadd the URL.encode-based one later (and benchmark!) SGTM... -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
