I implemented SafeStylesHostedModeUtils with some basic checks for the
style name and extensive checks for the style value. The name is easier
because it has a limited set of rules. The value has a lot of rules,
such as matching parenthesis, escaping characaters, and handling quotes
and URLs. I think I did a good job of covering the common cases.
On 2011/06/17 16:09:58, jlabanca wrote:
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/SafeCss.gwt.xml
File user/src/com/google/gwt/safecss/SafeCss.gwt.xml (right):
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/SafeCss.gwt.xml#newcode21
user/src/com/google/gwt/safecss/SafeCss.gwt.xml:21: <inherits
name="com.google.gwt.user.UserAgent"/>
On 2011/06/09 20:33:05, tbroyer wrote:
> Shouldn't you inherit c.g.g.dom.Dom?
It isn't needed because we're only doing string manipulation. Thats
also good
because it means it works in JVM world.
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/SafeCss.gwt.xml#newcode24
user/src/com/google/gwt/safecss/SafeCss.gwt.xml:24: <when-type-is
class="com.google.gwt.safecss.shared.SafeStylesUtils.ImplTrident" />
On 2011/06/09 20:33:05, tbroyer wrote:
> Did you mean SafeStylesUtils.Impl instead?
> Also, if it doesn't apply to IE9, maybe it needs a better name than
"trident";
> something like Ie6To8 maybe?
Done.
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java
File user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java
(right):
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java#newcode53
user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java:53: * The
server
doesn't know necessarily know the user agent of the client, so
On 2011/06/09 20:33:05, tbroyer wrote:
> duplicated "know"
Done.
http://gwt-code-reviews.appspot.com/1454808/diff/1/user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java#newcode494
user/src/com/google/gwt/safecss/shared/SafeStylesUtils.java:494:
return
fromTrustedString(name + ":" + SafeHtmlUtils.htmlEscape(value) + ";");
On 2011/06/09 20:33:05, tbroyer wrote:
> If the SafeStyles is passed to a SafeHtmlTemplates, won't it be
double-escaped
> then?
Removed the escape from this code since the method assumes its
trusted.
>
> There should also be an 'assert value.indexOf(';') < 0' (maybe a few
other
> checks, maybe a SafeStylesHostedModeUtils, or at least a TODO for
it)
done - added SafeStylesHostedModeUtils with reasonable checking based
on the CSS
specs.
It turns out that its more difficult than just checking for a
semi-colon.
Semi-colons are allowed within quotes and within a URL (and they are
used in
data URLs). They are also allowed if escaped, but the checks do not
allow if
they are escaped.
http://gwt-code-reviews.appspot.com/1454808/
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
