I renamed SafeCssProperties to SafeStyles, but I left the package as com.google.gwt.css so we can add more CSS support in the future (such as support for CSS in a CSS file or a style tag). The generator now throws an error if SafeStyles doesn't appear in the CSS_ATTRIBUTE_START context.
http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java File user/src/com/google/gwt/safecss/shared/SafeCssProperties.java (right): http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safecss/shared/SafeCssProperties.java#newcode46 user/src/com/google/gwt/safecss/shared/SafeCssProperties.java:46: * By convention, {@link SafeCssProperties} should only contain single quotes On 2011/03/14 23:10:02, xtof wrote:
Since SafeHtmlTemplates has been changed to HTML-escape the value of
style
attributes, perhaps it might avoid some confusion to remove the
suggestion about
the quotes.
It wouldn't hurt to instead remind users that SafeCssProperties
strings may
contain literal single or double quotes, and as such the entire CSS
must be HTML
escaped when used in a style attribute.
One thing that is important to require is that SafeCssProperties may
never
contain literal angle brackets. Otherwise, it could be unsafe to place
a
SafeCssProperties into a <style> tag (where it can't be HTML escaped),
e.g. if
the SafeCssProperties such as font: 'foo </style><script>evil</script>' is used in a style sheet in a <style> tag; this could then break out
of the
style context into HTML.
Done. http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java File user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java (right): http://gwt-code-reviews.appspot.com/1384801/diff/6006/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java#newcode185 user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java:185: // escaping it. On 2011/03/14 23:10:02, xtof wrote:
Perhaps remove the "without escaping it" since it is now escaped after
all? Done. http://gwt-code-reviews.appspot.com/1384801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors