java.lang.Object | |
↳ | com.google.gwt.safehtml.shared.SafeHtmlBuilder |
A builder that facilitates the building up of XSS-safe HTML from text snippets. It is used essentially like a StringBuilder; unlike a StringBuilder, it automatically HTML-escapes appended input where necessary.
In addition, it supports methods that allow strings with HTML markup to be
appended without escaping: One can append other SafeHtml
objects, and
one can append constant strings. The method that appends constant strings
(appendHtmlConstant(String)
) requires a convention of use to be
adhered to in order for this class to adhere to the contract required by
SafeHtml
: The argument expression must be fully determined and known
to be safe at compile time, and the value of the argument must not contain
incomplete HTML tags. See appendHtmlConstant(String)
for details.
The accumulated XSS-safe HTML can be obtained in the form of a
SafeHtml
via the toSafeHtml()
method.
This class is not thread-safe.
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Constructs an empty SafeHtmlBuilder.
|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Appends the string representation of a number.
| |||||||||||
Appends the string representation of a number.
| |||||||||||
Appends the string representation of a number.
| |||||||||||
Appends the string representation of a boolean.
| |||||||||||
Appends the string representation of a number.
| |||||||||||
Appends the contents of another
SafeHtml object, without applying
HTML-escaping to it. | |||||||||||
Appends the string representation of a char.
| |||||||||||
Appends the string representation of a number.
| |||||||||||
Appends a string after HTML-escaping it.
| |||||||||||
Appends a string consisting of several newline-separated lines after
HTML-escaping it.
| |||||||||||
Appends a compile-time-constant string, which will not be escaped.
| |||||||||||
Returns the safe HTML accumulated in the builder as a
SafeHtml . |
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
|
Constructs an empty SafeHtmlBuilder.
Appends the string representation of a number.
num | the number whose string representation to append |
---|
Appends the string representation of a number.
num | the number whose string representation to append |
---|
Appends the string representation of a number.
num | the number whose string representation to append |
---|
Appends the string representation of a boolean.
b | the boolean whose string representation to append |
---|
Appends the string representation of a number.
num | the number whose string representation to append |
---|
Appends the string representation of a char.
c | the character whose string representation to append |
---|
Appends the string representation of a number.
num | the number whose string representation to append |
---|
Appends a string after HTML-escaping it.
text | the string to append |
---|
Appends a string consisting of several newline-separated lines after
HTML-escaping it. Newlines in the original string are converted to <br>
.
text | the string to append |
---|
Appends a compile-time-constant string, which will not be escaped.
Important: For this class to be able to honor its contract as
required by SafeHtml
, all uses of this method must satisfy the
following constraints:
<a>
tag is incomplete:
shb.appendConstantHtml("<a href='").append(url)
The first constraint provides a sufficient condition that the appended
string (and any HTML markup contained in it) originates from a trusted
source. The second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in prod mode
on the client, and with assertions disabled on the server.
html | the HTML snippet to be appended |
---|
IllegalArgumentException | if not running in prod mode and html violates the second constraint
|
---|
Returns the safe HTML accumulated in the builder as a SafeHtml
.