Revision: 9979
Author: [email protected]
Date: Tue Apr 12 09:34:50 2011
Log: Escape single characters in SafeHtmlBuilder/SafeHtmlUtils
(external issue 6222)
Review at http://gwt-code-reviews.appspot.com/1413802
http://code.google.com/p/google-web-toolkit/source/detail?r=9979
Modified:
/trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlBuilder.java
/trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlBuilderTest.java
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlUtilsTest.java
=======================================
--- /trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlBuilder.java Thu
Dec 16 11:33:51 2010
+++ /trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlBuilder.java Tue
Apr 12 09:34:50 2011
@@ -80,9 +80,10 @@
*
* @param c the character whose string representation to append
* @return a reference to this object
+ * @see SafeHtmlUtils#htmlEscape(char)
*/
public SafeHtmlBuilder append(char c) {
- sb.append(c);
+ sb.append(SafeHtmlUtils.htmlEscape(c));
return this;
}
@@ -147,6 +148,7 @@
*
* @param text the string to append
* @return a reference to this object
+ * @see SafeHtmlUtils#htmlEscape(String)
*/
public SafeHtmlBuilder appendEscaped(String text) {
sb.append(SafeHtmlUtils.htmlEscape(text));
@@ -156,10 +158,11 @@
/**
* Appends a string consisting of several newline-separated lines after
* HTML-escaping it. Newlines in the original string are converted to
{@code
- * <br>}.
+ * <br>} tags.
*
* @param text the string to append
* @return a reference to this object
+ * @see SafeHtmlUtils#htmlEscape(String)
*/
public SafeHtmlBuilder appendEscapedLines(String text) {
sb.append(SafeHtmlUtils.htmlEscape(text).replaceAll("\n", "<br>"));
=======================================
--- /trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java Thu
Dec 16 11:33:51 2010
+++ /trunk/user/src/com/google/gwt/safehtml/shared/SafeHtmlUtils.java Tue
Apr 12 09:34:50 2011
@@ -37,7 +37,7 @@
private static final RegExp QUOT_RE = RegExp.compile("\"", "g");
/**
- * Returns a SafeHtml constructed from a safe string, i.e., without
escaping
+ * Returns a {@link SafeHtml} constructed from a safe string, i.e.,
without escaping
* the string.
*
* <p>
@@ -85,7 +85,7 @@
* Returns a {@link SafeHtml} containing the escaped string.
*
* @param s the input String
- * @return a SafeHtml instance
+ * @return a {@link SafeHtml} instance
*/
public static SafeHtml fromString(String s) {
return new SafeHtmlString(htmlEscape(s));
@@ -94,24 +94,59 @@
/**
* Returns a {@link SafeHtml} constructed from a trusted string, i.e.,
without
* escaping the string. No checks are performed. The calling code should
be
- * carefully reviewed to ensure the argument meets the SafeHtml contract.
+ * carefully reviewed to ensure the argument meets the {@link SafeHtml}
contract.
*
* @param s the input String
- * @return a SafeHtml instance
+ * @return a {@link SafeHtml} instance
*/
public static SafeHtml fromTrustedString(String s) {
return new SafeHtmlString(s);
}
+
+ /**
+ * HTML-escapes a character. HTML meta characters
+ * will be escaped as follows:
+ *
+ * <pre>
+ * & - &amp;
+ * < - &lt;
+ * > - &gt;
+ * " - &quot;
+ * ' - &#39;
+ * </pre>
+ *
+ * @param c the character to be escaped
+ * @return a string containing either the input character
+ * or an equivalent HTML Entity Reference
+ */
+ public static String htmlEscape(char c) {
+ switch (c) {
+ case '&':
+ return "&";
+ case '<':
+ return "<";
+ case '>':
+ return ">";
+ case '"':
+ return """;
+ case '\'':
+ return "'";
+ default:
+ return "" + c;
+ }
+ }
/**
* HTML-escapes a string.
*
* Note: The following variants of this function were profiled on FF36,
* Chrome6, IE8:
- * #1) for each case, check indexOf, then use s.replace(regex, string)
- * #2) for each case, check indexOf, then use s.replaceAll()
- * #3) check if any metachar is present using a regex, then use #1
- * #4) for each case, use s.replace(regex, string)
+ * <ol>
+ * <li>For each case, check indexOf, then use s.replace(regex,
string)</li>
+ * <li>For each case, check indexOf, then use s.replaceAll()</li>
+ * <li>Check if any metachar is present using a regex, then use #1</li>
+ * <li>For each case, use s.replace(regex, string)</li>
+ * </ol>
*
* #1 was found to be the fastest, and is used below.
*
=======================================
---
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlBuilderTest.java
Mon Sep 20 07:10:58 2010
+++
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlBuilderTest.java
Tue Apr 12 09:34:50 2011
@@ -69,6 +69,24 @@
// expected
}
}
+
+ public void testAppendChars() {
+ SafeHtmlBuilder b = new SafeHtmlBuilder();
+ b.append('a');
+ b.append('&');
+ b.append('b');
+ b.append('<');
+ b.append('c');
+ b.append('>');
+ b.append('d');
+ b.append('"');
+ b.append('e');
+ b.append('\'');
+ b.append('f');
+
+ SafeHtml html = b.toSafeHtml();
+ assertEquals("a&b<c>d"e'f", html.asString());
+ }
@Override
public String getModuleName() {
=======================================
---
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlUtilsTest.java
Mon Sep 20 07:10:58 2010
+++
/trunk/user/test/com/google/gwt/safehtml/shared/GwtSafeHtmlUtilsTest.java
Tue Apr 12 09:34:50 2011
@@ -100,6 +100,26 @@
SafeHtml h = SafeHtmlUtils.fromString(CONSTANT_HTML);
assertEquals(SafeHtmlUtils.htmlEscape(CONSTANT_HTML), h.asString());
}
+
+ public void testEscape_chars() {
+ String escaped = SafeHtmlUtils.htmlEscape('a');
+ assertEquals("a", escaped);
+
+ escaped = SafeHtmlUtils.htmlEscape('&');
+ assertEquals("&", escaped);
+
+ escaped = SafeHtmlUtils.htmlEscape('<');
+ assertEquals("<", escaped);
+
+ escaped = SafeHtmlUtils.htmlEscape('>');
+ assertEquals(">", escaped);
+
+ escaped = SafeHtmlUtils.htmlEscape('"');
+ assertEquals(""", escaped);
+
+ escaped = SafeHtmlUtils.htmlEscape('\'');
+ assertEquals("'", escaped);
+ }
@Override
public String getModuleName() {
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
