Don't escape my html string...
62 views
Skip to first unread message
Paul Schwarz
Dec 24, 2010, 4:47:09 AM12/24/10
to Google Web Toolkit
Hi all,
I am aware of the new SafeHtml facilities of GWT 2.1.
I have a case where I am using a CellTable and have a column that
takes a ClickableTextCell to render a string. The strings I want to
render come from a trusted source (nearby within the same method) and
contain <em> tags which are on the whitelist of the sanitizer.
Here is a simplified version of my code:
Column<ClientModel, String> clickColumn =
new Column<ClientModel, String>(new ClickableTextCell()) {
@Override
public String getValue(ClientModel model) {
String output = model.getName() + " <em>" + model.getDesc() + "</
em>";
return output;
}
};
I have tried all sorts of things instead of my "return output;" such
as:
return SafeHtmlUtils.fromTrustedString(output);
... but I keep getting literally "XYZ <em>a little description</em>"
output on the screen.
Two solutions:
1) figure out how to get GWT to trust my html and output actual html
2) figure out how to use the template/builder/util of the SafeHtml
mechanism properly to help me in this instance
I'm making no real progress with either, please help!
I am aware of the new SafeHtml facilities of GWT 2.1.
I have a case where I am using a CellTable and have a column that
takes a ClickableTextCell to render a string. The strings I want to
render come from a trusted source (nearby within the same method) and
contain <em> tags which are on the whitelist of the sanitizer.
Here is a simplified version of my code:
Column<ClientModel, String> clickColumn =
new Column<ClientModel, String>(new ClickableTextCell()) {
@Override
public String getValue(ClientModel model) {
String output = model.getName() + " <em>" + model.getDesc() + "</
em>";
return output;
}
};
I have tried all sorts of things instead of my "return output;" such
as:
return SafeHtmlUtils.fromTrustedString(output);
... but I keep getting literally "XYZ <em>a little description</em>"
output on the screen.
Two solutions:
1) figure out how to get GWT to trust my html and output actual html
2) figure out how to use the template/builder/util of the SafeHtml
mechanism properly to help me in this instance
I'm making no real progress with either, please help!
Paul Schwarz
Dec 24, 2010, 10:25:09 AM12/24/10
to Google Web Toolkit
Ok, I think I've got it. I didn't realise that ClickableTextCell can
now (in 2.1) take a SafeHtmlRenderer as an argument, and in turn that
object can render the html just the way I want
Column<ClientModel, String> clickColumn = new Column<ClientModel,
String>(
new ClickableTextCell(
new SafeHtmlRenderer<String>() {
@Override
public void render(String result, SafeHtmlBuilder builder) {
builder.appendHtmlConstant(result);
}
@Override
public SafeHtml render(String result) {
return SafeHtmlUtils.fromTrustedString(result);
}
}
)
STRING IS TRUSTED FOR HTML INJECTION, BUT CAN CONTAIN <em> ELEMENTS
}
};
now (in 2.1) take a SafeHtmlRenderer as an argument, and in turn that
object can render the html just the way I want
Column<ClientModel, String> clickColumn = new Column<ClientModel,
String>(
new ClickableTextCell(
@Override
public void render(String result, SafeHtmlBuilder builder) {
builder.appendHtmlConstant(result);
}
@Override
public SafeHtml render(String result) {
return SafeHtmlUtils.fromTrustedString(result);
}
}
)
)
{
@Override
public String getValue(ClientModel model) {
return model == null ? null : model.getDisplayName(); // THIS
{
@Override
public String getValue(ClientModel model) {
STRING IS TRUSTED FOR HTML INJECTION, BUT CAN CONTAIN <em> ELEMENTS
}
};
Reply all
Reply to author
Forward
0 new messages