java.lang.Object | |
↳ | com.google.gwt.safehtml.shared.SafeHtmlUtils |
Utility class containing static methods for escaping and sanitizing strings.
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
EMPTY_SAFE_HTML | An empty String. |
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Returns a SafeHtml constructed from a safe string, i.e., without escaping
the string.
| |||||||||||
Returns a
SafeHtml containing the escaped string. | |||||||||||
Returns a
SafeHtml constructed from a trusted string, i.e., without
escaping the string. | |||||||||||
HTML-escapes a string.
| |||||||||||
HTML-escapes a string, but does not double-escape HTML-entities already
present in the string.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
|
Returns a SafeHtml constructed from a safe string, i.e., without escaping the string.
Important: For this method to be able to honor the SafeHtml
contract, all uses of this method must satisfy the following constraints:
<a>
tag is incomplete:
shb.appendConstantHtml("<a href='").append(url)
The first constraint provides a sufficient condition that the argument (and
any HTML markup contained in it) originates from a trusted source. The
second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in
Production Mode on the client, and with assertions disabled on the server.
s | the string to be wrapped as a SafeHtml |
---|
s
, wrapped as a SafeHtml
IllegalArgumentException | if not running in Production Mode and
html violates the second constraint
|
---|
Returns a SafeHtml
containing the escaped string.
s | the input String |
---|
Returns a SafeHtml
constructed from a trusted string, i.e., without
escaping the string. No checks are performed. The calling code should be
carefully reviewed to ensure the argument meets the SafeHtml contract.
s | the input String |
---|
HTML-escapes a string. Note: The following variants of this function were profiled on FF36, Chrome6, IE8: #1) for each case, check indexOf, then use s.replace(regex, string) #2) for each case, check indexOf, then use s.replaceAll() #3) check if any metachar is present using a regex, then use #1 #4) for each case, use s.replace(regex, string) #1 was found to be the fastest, and is used below.
s | the string to be escaped |
---|
HTML-escapes a string, but does not double-escape HTML-entities already present in the string.
text | the string to be escaped |
---|