http://gwt-code-reviews.appspot.com/1447812/diff/1/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java File user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java (right):
http://gwt-code-reviews.appspot.com/1447812/diff/1/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java#newcode305 user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java:305: // not a fatal error. On 2011/06/02 13:47:05, jlabanca wrote:
Why isn't this a fatal error? Using a SafeUri in the middle of a URL
attribute
seems just as bad as the above case, and using it outside of the URL
context
seems like a dev mistake.
I think I agree; we should treat this analogous to the SafeStyles case above. Thomas, ok with you to make that change? http://gwt-code-reviews.appspot.com/1447812/diff/1/user/src/com/google/gwt/safehtml/shared/UriUtils.java File user/src/com/google/gwt/safehtml/shared/UriUtils.java (right): http://gwt-code-reviews.appspot.com/1447812/diff/1/user/src/com/google/gwt/safehtml/shared/UriUtils.java#newcode209 user/src/com/google/gwt/safehtml/shared/UriUtils.java:209: * safe!</strong> On 2011/06/02 13:47:05, jlabanca wrote:
This method worries me. When I saw the name, I assumed it was the
equivalent of
fromString(). Anyone who looks at the method name without reading the
JavaDoc
might assume the same.
I suggest we remove the method and let users manage unsafe URIs. That
forces
the user to make the tough decisions, whether they sanitize the URI,
or call
fromTrustedString() even if the URI isn't trusted.
This method is intended for use in places where a string we don't know anything about needs to be turned into a SafeUri in a legacy-API situation. For instance in this CL, the Image class has been refactored to use SafeUri internally. However, it retains the Image(String uri) constructor, which uses this method to turn the string into a SafeUri to call the Image(SafeUri uri) constructor with. I'd prefer that we don't use the fromTrustedString method in those situations: Use of that method is essentially an assertion by the programmer that they can ensure from context that the argument satisfies the SafeUri contract. In the Image(String) case, this is not so. I agree that the name isn't scary enough though. Perhaps, "unsafeCastFromUntrustedString" or something like that? http://gwt-code-reviews.appspot.com/1447812/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors