[gwt-contrib] Re: Adding a new annotation SafeHtmlTemplates.SafeForCss to specify that a parameter is known to be ... (issue1384801)

Wed, 06 Apr 2011 13:33:27 -0700 

I renamed SafeCssProperties to SafeStyles, but I left the package as
com.google.gwt.css so we can add more CSS support in the future (such as
support for CSS in a CSS file or a style tag). The generator now throws
an error if SafeStyles doesn't appear in the CSS_ATTRIBUTE_START
context.


http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java
File user/src/com/google/gwt/safecss/shared/SafeCssProperties.java
(right):

http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java#newcode46
user/src/com/google/gwt/safecss/shared/SafeCssProperties.java:46: * By
convention, {@link SafeCssProperties} should only contain single quotes
On 2011/03/14 23:10:02, xtof wrote:

Since SafeHtmlTemplates has been changed to HTML-escape the value of

style

attributes, perhaps it might avoid some confusion to remove the

suggestion about

the quotes.



It wouldn't hurt to instead remind users that SafeCssProperties

strings may

contain literal single or double quotes, and as such the entire CSS

must be HTML

escaped when used in a style attribute.



One thing that is important to require is that SafeCssProperties may

never

contain literal angle brackets. Otherwise, it could be unsafe to place

a

SafeCssProperties into a <style> tag (where it can't be HTML escaped),

e.g. if

the SafeCssProperties such as
font: 'foo </style><script>evil</script>'
is used in a style sheet in a <style> tag; this could then break out

of the

style context into HTML.


Done.

http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java
File
user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java
(right):

http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java#newcode185
user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java:185:
// escaping it.
On 2011/03/14 23:10:02, xtof wrote:

Perhaps remove the "without escaping it" since it is now escaped after

all?

Done.

http://gwt-code-reviews.appspot.com/1384801/

--
http://groups.google.com/group/Google-Web-Toolkit-Contributors

Reply via email to