As a best practice, it is usually best to "unwrap" (call
safehtml.asString()) as close to the value's use as possible. When
migrating you can replace many String occurrences with SafeHtml, and
widgets provide SafeHtml-aware methods that will automatically handle
your SafeHtml object. The toSafeString(String) method is private for
this reason--to encourage passing around SafeHtml instead of String.
Does an attribute-less <span> tag do anything? Allowing attributes
certainly makes <span> and <div> unsafe, as you point out with the
onclick example.
Creating your own sanitizer may be the way to go for your application,
as the one provided is quite simple (hence the name :) That said, it's
very easy to introduce security holes and I would recommend against
rolling your own. Large apps, for instance Google Wave, have been
written using SafeHtml and without custom sanitizers. (AFAIK)
Another option for you may be the SafeHtmlTemplates. The SafeHtml
guide I linked before gives all the details, and you can see some
additional uses of templates in practice in CellTable.java (and many
of the other Cell-based widgets.)
Example:
@Template("<div style=\"outline:none;\">{0}</div>")
SafeHtml div(SafeHtml contents);
Philip
On Dec 2, 2:15 pm, Ed <[email protected]> wrote:
> Apearantly I was reading too fast :(...
> I seem to need the class SimpleHtmlSanitizer .
> Thanks for the tip.
>
> I am using it now, but noticed that snaitizeHtml always returns an
> SafeHtml object.
> public static SafeHtml sanitizeHtml(String html);
>
> That's often not what I want, especially not when migrating to it's
> usage. I rather have it return a string, but that method is private:
> private static String simpleSanitize(String text) {
>
> As it safes me the creation of this object that I don't use.
> I use it at this moment through a central method in my UtilsGwt:
> public static String toSafeString(final String text) {
> return SimpleHtmlSanitizer.sanitizeHtml(text).asString();
> }
>
> Besides that, I see you throw an exception if the specified html is
> null:
> public static SafeHtml sanitizeHtml(String html) {
> if (html == null) {
> throw new NullPointerException("html is null");
> }
> return new SafeHtmlString(simpleSanitize(html));
> }
>
> I would prefer you just return null, especially as it's valid to set
> null as: element.innerHtml(null)
>
> Hmmm I also see that <span> is escaped, so I probably better off
> creating my own sanitizer ;)..
> It would be nice if there would a default sanitizer that you can
> configure maybe (flexible white list)..
>
> Just one question: why are elements as div and span not whitelisted ?
> I think because you could do something like:
> <div onclick="javascript:alert('send help. stuck in adom');">
>
> or not?
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
