Apearantly I was reading too fast :(...
I seem to need the class SimpleHtmlSanitizer .
Thanks for the tip.
I am using it now, but noticed that snaitizeHtml always returns an
SafeHtml object.
public static SafeHtml sanitizeHtml(String html);
That's often not what I want, especially not when migrating to it's
usage. I rather have it return a string, but that method is private:
private static String simpleSanitize(String text) {
As it safes me the creation of this object that I don't use.
I use it at this moment through a central method in my UtilsGwt:
public static String toSafeString(final String text) {
return SimpleHtmlSanitizer.sanitizeHtml(text).asString();
}
Besides that, I see you throw an exception if the specified html is
null:
public static SafeHtml sanitizeHtml(String html) {
if (html == null) {
throw new NullPointerException("html is null");
}
return new SafeHtmlString(simpleSanitize(html));
}
I would prefer you just return null, especially as it's valid to set
null as: element.innerHtml(null)
Hmmm I also see that <span> is escaped, so I probably better off
creating my own sanitizer ;)..
It would be nice if there would a default sanitizer that you can
configure maybe (flexible white list)..
Just one question: why are elements as div and span not whitelisted ?
I think because you could do something like:
<div onclick="javascript:alert('send help. stuck in adom');">
or not?
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
