[gwt-contrib] Re: make it possible to just use devmode on a particular module while allowing the (issue1408802)
LGTM http://gwt-code-reviews.appspot.com/1408802/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
Reviewers: tobyr, jbrosenberg, Description: Addresses ClassNotFoundException problems when the data structures serialized in the unit cache log files no longer matches due to changes in GWT. Please review this at http://gwt-code-reviews.appspot.com/1412801/ Affected files: M dev/core/src/com/google/gwt/dev/javac/PersistentUnitCache.java M dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Adds {moz,webkit}RequestAnimationFrame support to animations. (issue1355805)
http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java File user/src/com/google/gwt/user/client/ui/DeckPanel.java (right): http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java#newcode108 user/src/com/google/gwt/user/client/ui/DeckPanel.java:108: // Figure out if the deck panel has a fixed height I'm not sure I'm a good checker, but it smells funny to me that onStart is losing a check that it used to have without (that I saw) routing through the new code in newWidget, nor why newWidget, having decided to animate, doesn't touch onStart. I'm willing to believe there's a good reason for it, but I'd like to know what it is. ;-) http://gwt-code-reviews.appspot.com/1355805/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
The symptom of this problem is that after updating GWT, you get the following exceptions similar to the following: [WARN] Error reading cache file: /tmp/me/gwt-unitCache/gwt-unitCache-012F28614915 java.io.InvalidClassException: com.google.gwt.dev.javac.Dependencies; local class incompatible: stream classdesc serialVersionUID = 4461785342388877006, local class serialVersionUID = -308718918430258746 at java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:579) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1600) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1513) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1749) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1963) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1887) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368) at com.google.gwt.dev.javac.PersistentUnitCache.loadUnitMap(PersistentUnitCache.java:472) at com.google.gwt.dev.javac.PersistentUnitCache.access$000(PersistentUnitCache.java:91) at com.google.gwt.dev.javac.PersistentUnitCache$UnitCacheMapLoader.run(PersistentUnitCache.java:120) The data following that exception in the file is ignored, and the cache goes on to operate normally. You'll keep getting those errors until the next time the cache logs are consolidated (every 10 runs or so) This change handles the ClassNotFoundException differently and quietly removes the file. http://gwt-code-reviews.appspot.com/1412801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Adds {moz,webkit}RequestAnimationFrame support to animations. (issue1355805)
http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java File user/src/com/google/gwt/user/client/ui/DeckPanel.java (right): http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java#newcode108 user/src/com/google/gwt/user/client/ui/DeckPanel.java:108: // Figure out if the deck panel has a fixed height On 2011/04/11 15:02:02, fabbott wrote: I'm not sure I'm a good checker, but it smells funny to me that onStart is losing a check that it used to have without (that I saw) routing through the new code in newWidget, nor why newWidget, having decided to animate, doesn't touch onStart. I'm willing to believe there's a good reason for it, but I'd like to know what it is. ;-) I wrote this code some times back, but it looks like the goal was to compute fixedHeight *before* calling run() so we could pass the second argument: if the height is fixed, we're sure the page layout won't change, so in case the deck is out of view (hidden, or displayed outside the viewport's bounds) we actually don't need to run our animation code. Passing the deckElem to run() in this case tells the browser it can skip calling us back if the element is out of view (at its discretion; actually, I believe WebKit only skips such calls on background tabs). http://gwt-code-reviews.appspot.com/1355805/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/src/com/google/gwt/dev/javac/PersistentUnitCache.java File dev/core/src/com/google/gwt/dev/javac/PersistentUnitCache.java (right): http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/src/com/google/gwt/dev/javac/PersistentUnitCache.java#newcode493 dev/core/src/com/google/gwt/dev/javac/PersistentUnitCache.java:493: cacheFile.delete(); Don't you need this same behavior for IOException? The original deserilization exception you were seeing was an InvalidClassException, which is a subclass of IOException. http://gwt-code-reviews.appspot.com/1412801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Fixed pom.xml produced by WebAppCreator. Issue 4878 and Issue 6196. (issue1407804)
http://gwt-code-reviews.appspot.com/1407804/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Adds {moz,webkit}RequestAnimationFrame support to animations. (issue1355805)
LGTM On Mon, Apr 11, 2011 at 11:44 AM, t.bro...@gmail.com wrote: http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java File user/src/com/google/gwt/user/client/ui/DeckPanel.java (right): http://gwt-code-reviews.appspot.com/1355805/diff/6003/user/src/com/google/gwt/user/client/ui/DeckPanel.java#newcode108 user/src/com/google/gwt/user/client/ui/DeckPanel.java:108: // Figure out if the deck panel has a fixed height On 2011/04/11 15:02:02, fabbott wrote: I'm not sure I'm a good checker, but it smells funny to me that onStart is losing a check that it used to have without (that I saw) routing through the new code in newWidget, nor why newWidget, having decided to animate, doesn't touch onStart. I'm willing to believe there's a good reason for it, but I'd like to know what it is. ;-) I wrote this code some times back, but it looks like the goal was to compute fixedHeight *before* calling run() so we could pass the second argument: if the height is fixed, we're sure the page layout won't change, so in case the deck is out of view (hidden, or displayed outside the viewport's bounds) we actually don't need to run our animation code. Passing the deckElem to run() in this case tells the browser it can skip calling us back if the element is out of view (at its discretion; actually, I believe WebKit only skips such calls on background tabs). http://gwt-code-reviews.appspot.com/1355805/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] [google-web-toolkit] r9970 committed - Adds {moz,webkit}RequestAnimationFrame support to animations....
Revision: 9970 Author: jlaba...@google.com Date: Mon Apr 11 07:56:01 2011 Log: Adds {moz,webkit}RequestAnimationFrame support to animations. Refactor Animation with different implementations, adding mozRequestAnimationFrame and webkitRequestAnimationFrame support in addition to the timer-based implementation. ALso adds run() overloads taking an 'element' argument, that visually scopes the animation (so that browsers can, as an optimization, skip steps when the element is not visible to the user). Code Review: http://gwt-code-reviews.appspot.com/1355805/ Author: tbroyer Review by: jlabanca http://code.google.com/p/google-web-toolkit/source/detail?r=9970 Added: /trunk/user/src/com/google/gwt/animation/client/AnimationImpl.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplMozAnimTiming.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplTimer.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplWebkitAnimTiming.java Modified: /trunk/user/src/com/google/gwt/animation/Animation.gwt.xml /trunk/user/src/com/google/gwt/animation/client/Animation.java /trunk/user/src/com/google/gwt/layout/client/Layout.java /trunk/user/src/com/google/gwt/user/cellview/client/CellBrowser.java /trunk/user/src/com/google/gwt/user/client/ui/DeckPanel.java === --- /dev/null +++ /trunk/user/src/com/google/gwt/animation/client/AnimationImpl.java Mon Apr 11 07:56:01 2011 @@ -0,0 +1,45 @@ +/* + * Copyright 2011 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the License); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.google.gwt.animation.client; + +import com.google.gwt.dom.client.Element; + +/** + * Base class for animation implementations. + */ +abstract class AnimationImpl { + + /** + * Cancel the animation. + */ + public abstract void cancel(Animation animation); + + /** + * Run the animation with an optional bounding element. + */ + public abstract void run(Animation animation, Element element); + + /** + * Update the {@link Animation}. + * + * @param animation the {@link Animation} + * @param curTime the current time + * @return true if the animation is complete, false if still running + */ + protected final boolean updateAnimation(Animation animation, double curTime) { +return animation.isRunning() animation.update(curTime); + } +} === --- /dev/null +++ /trunk/user/src/com/google/gwt/animation/client/AnimationImplMozAnimTiming.java Mon Apr 11 07:56:01 2011 @@ -0,0 +1,56 @@ +/* + * Copyright 2011 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the License); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.google.gwt.animation.client; + +import com.google.gwt.dom.client.Element; + +/** + * Implementation using codemozRequestAnimationFrame/code. + * + * @see a href=https://developer.mozilla.org/en/DOM/window.mozRequestAnimationFrame; + * Documentation on the MDN/a + */ +class AnimationImplMozAnimTiming extends AnimationImpl { + + private int handle; + + @Override + public void cancel(Animation animation) { +handle++; + } + + @Override + public void run(Animation animation, Element element) { +handle++; +nativeRun(animation); + } + + private native void nativeRun(Animation animation) /*-{ +var self = this; +var handle = th...@com.google.gwt.animation.client.AnimationImplMozAnimTiming::handle; +var callback = $entry(function(time) { + if (handle != se...@com.google.gwt.animation.client.AnimationImplMozAnimTiming::handle) { +return; // cancelled + } + var complete = se...@com.google.gwt.animation.client.AnimationImpl::updateAnimation(Lcom/google/gwt/animation/client/Animation;D)(animation, time); + if (!complete) { +$wnd.mozRequestAnimationFrame(callback); + } +}); + +$wnd.mozRequestAnimationFrame(callback); + }-*/; +} === --- /dev/null +++
[gwt-contrib] Re: Adds {moz,webkit}RequestAnimationFrame support to animations. (issue1355805)
committed as r9970 Thanks for another patch! http://gwt-code-reviews.appspot.com/1355805/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Reverting r9970 due to build break. (issue1408804)
Reviewers: fabbott, Description: Reverting r9970 due to build break. Please review this at http://gwt-code-reviews.appspot.com/1408804/ Affected files: M user/src/com/google/gwt/animation/Animation.gwt.xml M user/src/com/google/gwt/animation/client/Animation.java D user/src/com/google/gwt/animation/client/AnimationImpl.java D user/src/com/google/gwt/animation/client/AnimationImplMozAnimTiming.java D user/src/com/google/gwt/animation/client/AnimationImplTimer.java D user/src/com/google/gwt/animation/client/AnimationImplWebkitAnimTiming.java M user/src/com/google/gwt/layout/client/Layout.java M user/src/com/google/gwt/user/cellview/client/CellBrowser.java M user/src/com/google/gwt/user/client/ui/DeckPanel.java -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Adds {moz,webkit}RequestAnimationFrame support to animations. (issue1355805)
It's always a pleasure to work on GWT: the code is quite clean and easy to read! On a related note (to this patch), I was thinking about using CSS3 transitions for animations in widgets, when supported. The only issue is that there would only be an event fired at the end (ontransitionend). Is it really an issue to call child widget's onResize only once at the end of the animation, or should we fake the animation steps with a timer or requestAnimationFrame? (in which case maybe CSS transitions wouldn't be worth adding). -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] [google-web-toolkit] r9971 committed - Reverting r9970 due to build break....
Revision: 9971 Author: jlaba...@google.com Date: Mon Apr 11 09:09:49 2011 Log: Reverting r9970 due to build break. Review at http://gwt-code-reviews.appspot.com/1408804 Review by: fabb...@google.com http://code.google.com/p/google-web-toolkit/source/detail?r=9971 Deleted: /trunk/user/src/com/google/gwt/animation/client/AnimationImpl.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplMozAnimTiming.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplTimer.java /trunk/user/src/com/google/gwt/animation/client/AnimationImplWebkitAnimTiming.java Modified: /trunk/user/src/com/google/gwt/animation/Animation.gwt.xml /trunk/user/src/com/google/gwt/animation/client/Animation.java /trunk/user/src/com/google/gwt/layout/client/Layout.java /trunk/user/src/com/google/gwt/user/cellview/client/CellBrowser.java /trunk/user/src/com/google/gwt/user/client/ui/DeckPanel.java === --- /trunk/user/src/com/google/gwt/animation/client/AnimationImpl.java Mon Apr 11 07:56:01 2011 +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2011 Google Inc. - * - * Licensed under the Apache License, Version 2.0 (the License); you may not - * use this file except in compliance with the License. You may obtain a copy of - * the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an AS IS BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ -package com.google.gwt.animation.client; - -import com.google.gwt.dom.client.Element; - -/** - * Base class for animation implementations. - */ -abstract class AnimationImpl { - - /** - * Cancel the animation. - */ - public abstract void cancel(Animation animation); - - /** - * Run the animation with an optional bounding element. - */ - public abstract void run(Animation animation, Element element); - - /** - * Update the {@link Animation}. - * - * @param animation the {@link Animation} - * @param curTime the current time - * @return true if the animation is complete, false if still running - */ - protected final boolean updateAnimation(Animation animation, double curTime) { -return animation.isRunning() animation.update(curTime); - } -} === --- /trunk/user/src/com/google/gwt/animation/client/AnimationImplMozAnimTiming.java Mon Apr 11 07:56:01 2011 +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright 2011 Google Inc. - * - * Licensed under the Apache License, Version 2.0 (the License); you may not - * use this file except in compliance with the License. You may obtain a copy of - * the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an AS IS BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ -package com.google.gwt.animation.client; - -import com.google.gwt.dom.client.Element; - -/** - * Implementation using codemozRequestAnimationFrame/code. - * - * @see a href=https://developer.mozilla.org/en/DOM/window.mozRequestAnimationFrame; - * Documentation on the MDN/a - */ -class AnimationImplMozAnimTiming extends AnimationImpl { - - private int handle; - - @Override - public void cancel(Animation animation) { -handle++; - } - - @Override - public void run(Animation animation, Element element) { -handle++; -nativeRun(animation); - } - - private native void nativeRun(Animation animation) /*-{ -var self = this; -var handle = th...@com.google.gwt.animation.client.AnimationImplMozAnimTiming::handle; -var callback = $entry(function(time) { - if (handle != se...@com.google.gwt.animation.client.AnimationImplMozAnimTiming::handle) { -return; // cancelled - } - var complete = se...@com.google.gwt.animation.client.AnimationImpl::updateAnimation(Lcom/google/gwt/animation/client/Animation;D)(animation, time); - if (!complete) { -$wnd.mozRequestAnimationFrame(callback); - } -}); - -$wnd.mozRequestAnimationFrame(callback); - }-*/; -} === --- /trunk/user/src/com/google/gwt/animation/client/AnimationImplTimer.java Mon Apr 11 07:56:01 2011 +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright 2011 Google Inc. - * - * Licensed under the Apache License, Version 2.0 (the License); you may not - * use this file except in compliance with the License. You may obtain a copy of - * the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless
[gwt-contrib] Re: Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java File dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java (right): http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java#newcode41 dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java:41: private final byte[] INVALID_CACHE_LOG = { // This seems kinda brittle? I wonder if there's a way to generate an appropriate stream programmatically. Maybe something involving a pair of class loaders, A and B, which are children of the system class loader, but provide one additional class, a CompilationUnit subtype that isn't loaded in the system class loader. You write the stream using A and read it back using B. In addition to testing a class that doesn't exist in B, you could test slightly different versions of the same class in A B and test for the incompatible class change. Not sure if it's worth all that trouble tho, just rambling here. http://gwt-code-reviews.appspot.com/1412801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] [google-web-toolkit] r9972 committed - make it possible to just use devmode on a particular module while allo...
Revision: 9972 Author: unn...@google.com Date: Mon Apr 11 11:56:17 2011 Log: make it possible to just use devmode on a particular module while allowing the others to run in prod mode Review at http://gwt-code-reviews.appspot.com/1408802 Review by: fabio...@google.com http://code.google.com/p/google-web-toolkit/source/detail?r=9972 Modified: /trunk/dev/core/src/com/google/gwt/core/ext/linker/impl/devmode.js /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeTemplate.js === --- /trunk/dev/core/src/com/google/gwt/core/ext/linker/impl/devmode.js Thu Feb 24 06:41:44 2011 +++ /trunk/dev/core/src/com/google/gwt/core/ext/linker/impl/devmode.js Mon Apr 11 11:56:17 2011 @@ -252,7 +252,10 @@ var query = $wnd.location.search; var idx = query.indexOf(gwt.codesvr=); if (idx = 0) { -idx += 12; // gwt.codesvr=.length() == 12 +idx += 12; // gwt.codesvr=.length == 12 + } else { +idx = query.indexOf(gwt.codesvr.__MODULE_NAME__=); +idx += (13 + __MODULE_NAME__.length); // } if (idx = 0) { var amp = query.indexOf(, idx); === --- /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java Mon Mar 21 12:22:19 2011 +++ /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java Mon Apr 11 11:56:17 2011 @@ -339,6 +339,7 @@ outputFilename = getHostedFilenameFull(context); } +replaceAll(buffer, __MODULE_NAME__, context.getModuleName()); String script = generatePrimaryFragmentString(logger, context, result, buffer.toString(), 1, artifacts); === --- /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeTemplate.js Fri Mar 11 13:16:30 2011 +++ /trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeTemplate.js Mon Apr 11 11:56:17 2011 @@ -34,7 +34,8 @@ function isHostedMode() { var query = $wnd.location.search; -return (query.indexOf('gwt.codesvr=') != -1); +return ((query.indexOf('gwt.codesvr.__MODULE_NAME__=') != -1) || +(query.indexOf('gwt.codesvr=') != -1)); } // Helper function to send statistics to the __gwtStatsEvent function if it -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Fixed pom.xml produced by WebAppCreator. Issue 4878 and Issue 6196. (issue1407804)
http://gwt-code-reviews.appspot.com/1407804/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Fixed pom.xml produced by WebAppCreator. Issue 4878 and Issue 6196. (issue1407804)
http://gwt-code-reviews.appspot.com/1407804/diff/1/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc File user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc (right): http://gwt-code-reviews.appspot.com/1407804/diff/1/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc#newcode71 user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc:71: version2.2.0/version On 2011/04/08 22:08:27, drfibonacci wrote: 2.2.0-1 would pick up fix for copyWebapptrue/copyWebapp so it won't copy provided jars It seems 2.2.0-1 is not yet available. i could not get gwt-user into the generated war, either and copyWebApp seems to be only available at that version. Let's defer the use of copyWebApp for later. http://gwt-code-reviews.appspot.com/1407804/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] [google-web-toolkit] r9973 committed - Fixed pom.xml produced by WebAppCreator. Issue 4878 and Issue 6196....
Revision: 9973 Author: rchan...@google.com Date: Mon Apr 11 13:05:14 2011 Log: Fixed pom.xml produced by WebAppCreator. Issue 4878 and Issue 6196. Review at http://gwt-code-reviews.appspot.com/1407804 Review by: drfibona...@google.com http://code.google.com/p/google-web-toolkit/source/detail?r=9973 Modified: /trunk/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc === --- /trunk/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc Fri Apr 8 08:46:11 2011 +++ /trunk/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc Mon Apr 11 13:05:14 2011 @@ -40,9 +40,22 @@ dependency groupIdjunit/groupId artifactIdjunit/artifactId - version4.4/version + version4.8.1/version scopetest/scope /dependency +dependency + groupIdjavax.validation/groupId + artifactIdvalidation-api/artifactId + version1.0.0.GA/version + scopeprovided/scope +/dependency +dependency + groupIdjavax.validation/groupId + artifactIdvalidation-api/artifactId + version1.0.0.GA/version + classifiersources/classifier + scopeprovided/scope +/dependency /dependencies build @@ -55,6 +68,24 @@ plugin groupIdorg.codehaus.mojo/groupId artifactIdgwt-maven-plugin/artifactId + version2.2.0/version + dependencies + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-user/artifactId +version${gwtVersion}/version + /dependency + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-dev/artifactId +version${gwtVersion}/version + /dependency + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-servlet/artifactId +version${gwtVersion}/version + /dependency + /dependencies !-- JS is only needed in the package phase, this speeds up testing -- executions execution @@ -72,13 +103,14 @@ !-- Location of the develop-mode web application structure (gwt:run). -- hostedWebapptarget/www/hostedWebapp !-- Ask GWT to create the Story of Your Compile (SOYC) (gwt:compile) -- - soyctrue/soyc + compileReporttrue/compileReport /configuration /plugin !-- Add source folders to test classpath in order to run gwt-tests as normal junit-tests -- plugin artifactIdmaven-surefire-plugin/artifactId + version2.5/version configuration additionalClasspathElements additionalClasspathElement${project.build.sourceDirectory}/additionalClasspathElement @@ -100,6 +132,7 @@ !-- Copy static web files before executing gwt:run -- plugin artifactIdmaven-resources-plugin/artifactId +version2.4.2/version executions execution phasecompile/phase @@ -121,6 +154,7 @@ !-- Delete gwt generated stuff -- plugin artifactIdmaven-clean-plugin/artifactId + version2.3/version configuration filesets filesetdirectorysrc/main/webapp/@renameTo/directory/fileset @@ -131,7 +165,25 @@ /filesets /configuration /plugin - + + plugin + artifactIdmaven-eclipse-plugin/artifactId + version2.7/version !-- Note 2.8 does not work with AspectJ aspect path -- + configuration + downloadSourcestrue/downloadSources + downloadJavadocsfalse/downloadJavadocs + wtpversion2.0/wtpversion + additionalBuildcommands +buildCommand + namecom.google.gwt.eclipse.core.gwtProjectValidator/name +/buildCommand + /additionalBuildcommands + additionalProjectnatures + projectnaturecom.google.gwt.eclipse.core.gwtNature/projectnature + /additionalProjectnatures + /configuration + /plugin + /plugins /build /project -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
I'm thinking about using ByteArrayOutputStream and serializing 2 special object with readObject() implemented to throw the exception I want to test. On Mon, Apr 11, 2011 at 5:30 PM, sco...@google.com wrote: http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java File dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java (right): http://gwt-code-reviews.appspot.com/1412801/diff/1/dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java#newcode41 dev/core/test/com/google/gwt/dev/javac/PersistentUnitCacheTest.java:41: private final byte[] INVALID_CACHE_LOG = { // This seems kinda brittle? I wonder if there's a way to generate an appropriate stream programmatically. Maybe something involving a pair of class loaders, A and B, which are children of the system class loader, but provide one additional class, a CompilationUnit subtype that isn't loaded in the system class loader. You write the stream using A and read it back using B. In addition to testing a class that doesn't exist in B, you could test slightly different versions of the same class in A B and test for the incompatible class change. Not sure if it's worth all that trouble tho, just rambling here. http://gwt-code-reviews.appspot.com/1412801/ -- Eric Z. Ayers Google Web Toolkit, Atlanta, GA USA -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Add SafeUri type, similar to SafeHtml but for values in a URL attribute context. (issue1380806)
On Sun, Apr 10, 2011 at 17:02, t.bro...@gmail.com wrote: On 2011/04/10 18:32:38, xtof wrote: I think this is pretty much ready, except for one thing I just thought of. Sorry, I should have thought of that earlier :/ In ClippedImageImpl, we're using a SafeUri in the context of a url() style expression (background: url({3})). However, the contract of SafeUri is currently not tight enough for this to be safe I think: SafeUri would allow e.g., parentheses, colons and dashes in un-escaped form in the URL. In a template where the URL appears in a url() css expression as above, a URL like, http://harmless.com/foo);background:url(javascript:evil()); would pass UriUtils#sanitizeUri (without getting URI-escaped or anything), and would result in script execution via CSS injection. I hadn't looked closely at the SafeStyles API and thought it would be covered there (and ClippedImageImpl would of course be updated to use SafeStyles). But note that, similarly, http://harmless.comonclick=evil() would pass sanitizeUri and could result in script execution via HTML injection (not through SafeHtml/SafeHtmlTemplates though, as the quotes would be escaped). Ok, I think you've convinced me :) I think what you're saying is essentially this: The SafeUri contract only promises that a URL will not result in script execution if dereferenced as-is (which in practice means that its scheme is on a whitelist of ones that don't cause script exec, and in particular isn't javascript:, etc). However, when a SafeUri is embedded in a specific context, it *still* needs to be appropriately escaped. Which is what happens for uri-valued attribute context in SafeHtmlTemplates, and I agree with you that we should treat URI-in-CSS context the same way, and deal with any necessary escaping (or sanitization) there. I do think that it might be worth to constrain SafeUri to only allow syntactically valid URIs, or at least only strings consisting of characters valid in URIs per the RFC. Unfortunately, GWT doesn't implement java.net.URI and the former might be hard to do efficiently in browser-side code; I can't think of any reason the latter isn't sufficient. If we're both in agreement on that, I think we should change the doc of the SafeUri contract to be a bit more specific about that. I.e., instead of 18 /** 19 * An object that implements this interface encapsulates a URI that is 20 * guaranteed to be safe to use (with respect to potential Cross-Site-Scripting 21 * vulnerabilities) in a URL context, for example in a URL-typed attribute in 22 * an HTML document. more something along the lines: /** An object that implements this interface encapsulates a lexically valid (with respect to the set of valid characters specified RFC 3986) URI that when dereferenced, will not result in browser-side execution of script that is not under program control. p Note that this type's contract does not constrain the set of characters that may appear in the URI beyond the requirements of RFC 3986. If the value of a SafeUri object is used in certain contexts of a HTML document, appropriate escaping must be applied. The CSS spec says whitespace, quotes (single and double) and parentheses can be escaped using a backslash: http://www.w3.org/TR/CSS2/syndata.html#uri I believe I've read somewhere that this doesn't work in IE, but I can't find the reference now... One problem I'd worried about is this: parentheses are legal in URIs per the RFC. At the same time, \xx escaping them in the CSS seems to not actually be sufficient; such escaping doesn't prevent the string from being interpreted as CSS syntax (what were they thinking???), see http://code.google.com/p/browsersec/wiki/Part1#CSS_character_encoding. I think we'll just have to %-escape parentheses and single quotes when using a SafeUri in a CSS url(). I'm not really aware of them meaning anything special in *http* URIs; even if RFC 3986 says that %-escaping parentheses won't result in an equivalent URI I don't know of any reason doing so would result in a different resource being addressed on a web server. So maybe we could special-case SafeUri in CSS contexts in the generator? I think we should just ban it (or at least warn), since we don't parse the CSS and can't really tell what context in the CSS the URI is used in. A safe style builder API would know, and would escape the URI correctly. (we already special-case it for it's .asString(), and special-case URL contexts for non-SafeUri values to sanitize them, so...) So I think we need to, - tighten the SafeUri contract so it explicitly specifies which character set can occur in a SafeUri - add a sanitizeAndEscapeUri method to UriUtils that both checks for an allowed scheme and URI/%-escapes characters not in the allowed charset (or maybe rejects URLs with certain funny characters in them). We can quite simply %-escape those chars that are special to CSS (see
[gwt-contrib] Re: Adding a new annotation SafeHtmlTemplates.SafeForCss to specify that a parameter is known to be ... (issue1384801)
LGTM! http://gwt-code-reviews.appspot.com/1384801/diff/8001/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java File user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java (right): http://gwt-code-reviews.appspot.com/1384801/diff/8001/user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java#newcode315 user/src/com/google/gwt/safehtml/rebind/SafeHtmlTemplatesImplMethodCreator.java:315: logger.log(TreeLogger.WARN, On 2011/04/07 15:45:57, jlabanca wrote: I added a comment explaining that we've already checked that the user did not try to use SafeStyles in a non-CSS context. The reason for the split checks is that each Safe type is only valid in one context, so it makes sense to check that separately. Otherwise, we would have to have a !SafeHtml/!SafeStyles check in every context where those classes aren't supported. Conversely, some contexts have or will have a Safe value that is appropriate for that context. Adding the warning in the switch statement allows us to do check if the user could have used a Safe class specific to the current context. If we move the warnings out of the switch statement, then we would have to check the current context to see if the user could have chosen a better Safe value, which would basically add a duplicate (subset) switch statement. I see... Makes sense and SGTM. http://gwt-code-reviews.appspot.com/1384801/diff/8025/user/src/com/google/gwt/safecss/shared/SafeStyles.java File user/src/com/google/gwt/safecss/shared/SafeStyles.java (right): http://gwt-code-reviews.appspot.com/1384801/diff/8025/user/src/com/google/gwt/safecss/shared/SafeStyles.java#newcode75 user/src/com/google/gwt/safecss/shared/SafeStyles.java:75: * liwidth: 1em;/li Should these be {@code}? http://gwt-code-reviews.appspot.com/1384801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Addresses ClassNotFoundException problems when the data structures serialized in (issue1412801)
On 2011/04/11 23:17:07, zundel wrote: I'm thinking about using ByteArrayOutputStream and serializing 2 special object with readObject() implemented to throw the exception I want to test. SGTM! http://gwt-code-reviews.appspot.com/1412801/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] [google-web-toolkit] r9974 committed - Cherry picking r9967 into releases/2.3
Revision: 9974 Author: rchan...@google.com Date: Mon Apr 11 13:59:08 2011 Log: Cherry picking r9967 into releases/2.3 http://code.google.com/p/google-web-toolkit/source/detail?r=9974 Modified: /releases/2.3/samples/expenses/pom.xml /releases/2.3/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc === --- /releases/2.3/samples/expenses/pom.xml Wed Mar 9 09:59:27 2011 +++ /releases/2.3/samples/expenses/pom.xml Mon Apr 11 13:59:08 2011 @@ -1,652 +1,652 @@ ?xml version=1.0 encoding=UTF-8 standalone=no? project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd; - modelVersion4.0.0/modelVersion - groupIdcom.google.gwt.sample.expenses/groupId - artifactIdexpenses/artifactId - packagingwar/packaging - version0.1.0.BUILD-SNAPSHOT/version - nameexpenses/name - properties + modelVersion4.0.0/modelVersion + groupIdcom.google.gwt.sample.expenses/groupId + artifactIdexpenses/artifactId + packagingwar/packaging + version0.1.0.BUILD-SNAPSHOT/version + nameexpenses/name + properties gwt.version2.2.0/gwt.version - roo.version1.1.0.RELEASE/roo.version - spring.version3.0.3.RELEASE/spring.version - slf4j.version1.6.1/slf4j.version - gae.version1.4.2/gae.version +roo.version1.1.0.RELEASE/roo.version +spring.version3.0.3.RELEASE/spring.version +slf4j.version1.6.1/slf4j.version +gae.version1.4.2/gae.version gae-test.version1.4.2/gae-test.version gae.home${user.home}/.m2/repository/com/google/appengine/appengine-java-sdk/${gae.version}/appengine-java-sdk-${gae.version}/gae.home datanucleus.version1.1.5/datanucleus.version -/properties - repositories -repository -idspring-maven-release/id -nameSpring Maven Release Repository/name -urlhttp://maven.springframework.org/release/url -/repository -repository -idspring-maven-milestone/id -nameSpring Maven Milestone Repository/name -urlhttp://maven.springframework.org/milestone/url -/repository -repository -idspring-roo-repository/id -nameSpring Roo Repository/name - urlhttp://spring-roo-repository.springsource.org/release/url -/repository + /properties + repositories repository -idDataNucleus_2/id -urlhttp://www.datanucleus.org/downloads/maven2//url -nameDataNucleus/name -/repository + idspring-maven-release/id + nameSpring Maven Release Repository/name + urlhttp://maven.springframework.org/release/url +/repository repository -idJBoss Repo/id - urlhttps://repository.jboss.org/nexus/content/repositories/releases/url -nameJBoss Repo/name -/repository -/repositories -pluginRepositories + idspring-maven-milestone/id + nameSpring Maven Milestone Repository/name + urlhttp://maven.springframework.org/milestone/url +/repository +repository + idspring-roo-repository/id + nameSpring Roo Repository/name + urlhttp://spring-roo-repository.springsource.org/release/url +/repository +repository + idDataNucleus_2/id + urlhttp://www.datanucleus.org/downloads/maven2//url + nameDataNucleus/name +/repository +repository + idJBoss Repo/id + urlhttps://repository.jboss.org/nexus/content/repositories/releases/url + nameJBoss Repo/name +/repository + /repositories + pluginRepositories pluginRepository -idDataNucleus_2/id -urlhttp://www.datanucleus.org/downloads/maven2//url -/pluginRepository -/pluginRepositories - dependencies - !-- General dependencies for standard applications -- - dependency - groupIdjunit/groupId - artifactIdjunit/artifactId - version4.8.1/version - scopetest/scope - /dependency - dependency - groupIdlog4j/groupId - artifactIdlog4j/artifactId - version1.2.16/version - /dependency - dependency - groupIdorg.slf4j/groupId - artifactIdslf4j-api/artifactId - version${slf4j.version}/version - /dependency - dependency - groupIdorg.slf4j/groupId - artifactIdjcl-over-slf4j/artifactId - version${slf4j.version}/version - /dependency - dependency - groupIdorg.slf4j/groupId -
[gwt-contrib] Clean up the CrossSiteIFrameLoadingStrategy class, removing some dead code, (issue1413801)
Reviewers: zundel, Description: Clean up the CrossSiteIFrameLoadingStrategy class, removing some dead code, adding comments to clarify what is going on, and making it throw an error which is more explicit about what triggered the error Please review this at http://gwt-code-reviews.appspot.com/1413801/ Affected files: M user/src/com/google/gwt/core/client/CodeDownloadException.java M user/src/com/google/gwt/core/client/impl/CrossSiteIframeLoadingStrategy.java Index: user/src/com/google/gwt/core/client/CodeDownloadException.java === --- user/src/com/google/gwt/core/client/CodeDownloadException.java (revision 9972) +++ user/src/com/google/gwt/core/client/CodeDownloadException.java (working copy) @@ -27,10 +27,10 @@ * need to be down loaded. */ public enum Reason { -/** - * Generic code for terminating the download. - */ -TERMINATED +ONERROR, +ONLOAD, +READYSTATELOADED, +READYSTATECOMPLETE, } private final Reason reason; Index: user/src/com/google/gwt/core/client/impl/CrossSiteIframeLoadingStrategy.java === --- user/src/com/google/gwt/core/client/impl/CrossSiteIframeLoadingStrategy.java (revision 9972) +++ user/src/com/google/gwt/core/client/impl/CrossSiteIframeLoadingStrategy.java (working copy) @@ -25,14 +25,6 @@ /** * Load runAsync code using a script tag. Intended for use with the * {@link com.google.gwt.core.linker.CrossSiteIframeLinker}. - * - * p - * The linker wraps its selection script code with a function refered to by - * code__gwtModuleFunction/code. On that function is a property - * codeinstallCode/code that can be invoked to eval more code in a scope - * nested somewhere within that function. The loaded script for fragment 123 is - * expected to invoke code__gwtModuleFunction.runAsyncCallback123/code - * as the final thing it does. */ public class CrossSiteIframeLoadingStrategy implements LoadingStrategy { /** @@ -58,10 +50,19 @@ }-*/; } - private static final RuntimeException LoadTerminated = - new CodeDownloadException(Code download terminated, -CodeDownloadException.Reason.TERMINATED); - + private static final RuntimeException LoadTerminatedError = + new CodeDownloadException(Code download terminated - onError, +CodeDownloadException.Reason.ONERROR); + private static final RuntimeException LoadTerminatedLoaded = +new CodeDownloadException(Code download terminated - onLoad, + CodeDownloadException.Reason.ONLOAD); + private static final RuntimeException LoadTerminatedReadyComplete = +new CodeDownloadException(Code download terminated - onReadyComplete, + CodeDownloadException.Reason.READYSTATECOMPLETE); + private static final RuntimeException LoadTerminatedReadyLoaded = +new CodeDownloadException(Code download terminated - onReadyLoaded, + CodeDownloadException.Reason.READYSTATELOADED); + /** * Clear callbacks on script objects. This is important on IE 6 and 7 to * prevent a memory leak. If the callbacks aren't cleared, there is a cyclical @@ -71,13 +72,6 @@ private static native void clearCallbacks(JavaScriptObject script) /*-{ var nop = new Function(''); script.onerror = script.onload = script.onreadystatechange = nop; - }-*/; - - /** - * Clear the success callback for fragment codefragment/code. - */ - private static native void clearOnSuccess(int fragment) /*-{ -delete __gwtModuleFunction['runAsyncCallback'+fragment]; }-*/; private static native JavaScriptObject createScriptTag(String url) /*-{ @@ -97,13 +91,18 @@ LoadTerminatedHandler loadFinishedHandler) /*-{ return function(exception) { if (tag.parentNode == null) { - // onSuccess or onFailure must have already been called. + // This function must have already been called. return; } var head = document.getElementsByTagName('head').item(0); - @com.google.gwt.core.client.impl.CrossSiteIframeLoadingStrategy::clearOnSuccess(*)(fragment); @com.google.gwt.core.client.impl.CrossSiteIframeLoadingStrategy::clearCallbacks(*)(tag); head.removeChild(tag); + // It seems unintuitive to call the error function every time, but + // it appears that AsyncFragmentLoader::fragmentHasLoaded (which is + // called by each fragment) will set the fragmentLoading variable to + // -1 when the code in this fragment executes, so this + // loadTerminated call will fail the (fragmentLoading == fragment) check + // and will immediately exit, so no errors are actually fired. function callLoadTerminated() {
[gwt-contrib] [google-web-toolkit] r9975 committed - Cherry picking r9973 into releases/2.3 for isuees 4878 and 6196
Revision: 9975 Author: rchan...@google.com Date: Mon Apr 11 14:26:39 2011 Log: Cherry picking r9973 into releases/2.3 for isuees 4878 and 6196 http://code.google.com/p/google-web-toolkit/source/detail?r=9975 Modified: /releases/2.3/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc === --- /releases/2.3/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc Mon Apr 11 13:59:08 2011 +++ /releases/2.3/user/src/com/google/gwt/user/tools/templates/maven/pom.xmlsrc Mon Apr 11 14:26:39 2011 @@ -40,9 +40,22 @@ dependency groupIdjunit/groupId artifactIdjunit/artifactId - version4.4/version + version4.8.1/version scopetest/scope /dependency +dependency + groupIdjavax.validation/groupId + artifactIdvalidation-api/artifactId + version1.0.0.GA/version + scopeprovided/scope +/dependency +dependency + groupIdjavax.validation/groupId + artifactIdvalidation-api/artifactId + version1.0.0.GA/version + classifiersources/classifier + scopeprovided/scope +/dependency /dependencies build @@ -55,6 +68,24 @@ plugin groupIdorg.codehaus.mojo/groupId artifactIdgwt-maven-plugin/artifactId + version2.2.0/version + dependencies + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-user/artifactId +version${gwtVersion}/version + /dependency + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-dev/artifactId +version${gwtVersion}/version + /dependency + dependency +groupIdcom.google.gwt/groupId +artifactIdgwt-servlet/artifactId +version${gwtVersion}/version + /dependency + /dependencies !-- JS is only needed in the package phase, this speeds up testing -- executions execution @@ -72,13 +103,14 @@ !-- Location of the develop-mode web application structure (gwt:run). -- hostedWebapptarget/www/hostedWebapp !-- Ask GWT to create the Story of Your Compile (SOYC) (gwt:compile) -- - soyctrue/soyc + compileReporttrue/compileReport /configuration /plugin !-- Add source folders to test classpath in order to run gwt-tests as normal junit-tests -- plugin artifactIdmaven-surefire-plugin/artifactId + version2.5/version configuration additionalClasspathElements additionalClasspathElement${project.build.sourceDirectory}/additionalClasspathElement @@ -100,6 +132,7 @@ !-- Copy static web files before executing gwt:run -- plugin artifactIdmaven-resources-plugin/artifactId +version2.4.2/version executions execution phasecompile/phase @@ -121,6 +154,7 @@ !-- Delete gwt generated stuff -- plugin artifactIdmaven-clean-plugin/artifactId + version2.3/version configuration filesets filesetdirectorysrc/main/webapp/@renameTo/directory/fileset @@ -131,7 +165,25 @@ /filesets /configuration /plugin - + + plugin + artifactIdmaven-eclipse-plugin/artifactId + version2.7/version !-- Note 2.8 does not work with AspectJ aspect path -- + configuration + downloadSourcestrue/downloadSources + downloadJavadocsfalse/downloadJavadocs + wtpversion2.0/wtpversion + additionalBuildcommands +buildCommand + namecom.google.gwt.eclipse.core.gwtProjectValidator/name +/buildCommand + /additionalBuildcommands + additionalProjectnatures + projectnaturecom.google.gwt.eclipse.core.gwtNature/projectnature + /additionalProjectnatures + /configuration + /plugin + /plugins /build /project -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Add SafeUri type, similar to SafeHtml but for values in a URL attribute context. (issue1380806)
On 2011/04/11 23:18:13, xtof wrote: If we're both in agreement on that, I think we should change the doc of the SafeUri contract to be a bit more specific about that. I.e., instead of 18 /** 19 * An object that implements this interface encapsulates a URI that is 20 * guaranteed to be safe to use (with respect to potential Cross-Site-Scripting 21 * vulnerabilities) in a URL context, for example in a URL-typed attribute in 22 * an HTML document. more something along the lines: /** An object that implements this interface encapsulates a lexically valid (with respect to the set of valid characters specified RFC 3986) URI that when dereferenced, will not result in browser-side execution of script that is not under program control. p Note that this type's contract does not constrain the set of characters that may appear in the URI beyond the requirements of RFC 3986. If the value of a SafeUri object is used in certain contexts of a HTML document, appropriate escaping must be applied. SGTM The CSS spec says whitespace, quotes (single and double) and parentheses can be escaped using a backslash: http://www.w3.org/TR/CSS2/syndata.html#uri I believe I've read somewhere that this doesn't work in IE, but I can't find the reference now... One problem I'd worried about is this: parentheses are legal in URIs per the RFC. At the same time, \xx escaping them in the CSS seems to not actually be sufficient; such escaping doesn't prevent the string from being interpreted as CSS syntax (what were they thinking???), see http://code.google.com/p/browsersec/wiki/Part1#CSS_character_encoding. Note that the CSS spec talks about using '\(', not '\028'. I however have absolutely no idea how well this is supported by browsers. I think we'll just have to %-escape parentheses and single quotes when using a SafeUri in a CSS url(). I'm not really aware of them meaning anything special in *http* URIs; even if RFC 3986 says that %-escaping parentheses won't result in an equivalent URI I don't know of any reason doing so would result in a different resource being addressed on a web server. +1 So maybe we could special-case SafeUri in CSS contexts in the generator? I think we should just ban it (or at least warn), since we don't parse the CSS and can't really tell what context in the CSS the URI is used in. A safe style builder API would know, and would escape the URI correctly. We already have the warning about SafeUri outside URL-attribute context, we sure could specialize the message a bit for the CSS context. I think you're right; sanitizeUri should %-escape characters not allowed by RFC 3986. Looks like passing the string through http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/http/client/URL.html#encode%28java.lang.String%29would be sufficient? Anyway, I'll take a TODO item for this. URL.encode wouldn't preserve existing %-escapes and would replace, e.g. %28 with %2528. The algorithm should probably be similar to htmlEscapeAllowEntities (i.e. split on %-escapes and encode the rest). Also, URL.encode doesn't %-escape single quotes and parentheses. Finally, URL.encode is client side only, so an equivalent pure Java algorithm should be written for the JVM (that would be less efficient in the browser). Maybe let's start with a single, shared, algorithm andadd the URL.encode-based one later (and benchmark!) I'm still wondering if we should properly parse the whole URL and insist it's syntactically valid; when I wrote sanitizeUri I chose not to because there's no easily available way to do it in GWT (since java.net.URI isn't implemented), and it would seem to be fairly costly to do. I believe %-escaping à la URL.encode would provide enough safety. http://gwt-code-reviews.appspot.com/1380806/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Add SafeUri type, similar to SafeHtml but for values in a URL attribute context. (issue1380806)
On Mon, Apr 11, 2011 at 17:54, t.bro...@gmail.com wrote: Note that the CSS spec talks about using '\(', not '\028'. I however have absolutely no idea how well this is supported by browsers. I think I read somewhere that this doesn't work in IE (which seems to interpret \ literally in URLs because windows users keep typing things like http:\\example.com\ into URL bars). I should test this... We already have the warning about SafeUri outside URL-attribute context, we sure could specialize the message a bit for the CSS context. I see what you mean. Either way is fine by me ;) I think you're right; sanitizeUri should %-escape characters not allowed by RFC 3986. Looks like passing the string through http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/http/client/URL.html#encode%28java.lang.String%29would be sufficient? Anyway, I'll take a TODO item for this. URL.encode wouldn't preserve existing %-escapes and would replace, e.g. %28 with %2528. The algorithm should probably be similar to htmlEscapeAllowEntities (i.e. split on %-escapes and encode the rest). Also, URL.encode doesn't %-escape single quotes and parentheses. Got it; yup you're right. Finally, URL.encode is client side only, so an equivalent pure Java algorithm should be written for the JVM (that would be less efficient in the browser). Maybe let's start with a single, shared, algorithm andadd the URL.encode-based one later (and benchmark!) SGTM... -- http://groups.google.com/group/Google-Web-Toolkit-Contributors