HTML-safety best practices
776 views
Skip to first unread message
David Hoffer
Mar 20, 2012, 3:22:59 PM3/20/12
to google-we...@googlegroups.com
I get the following error:
[INFO] Generating method body for img()
[INFO] [WARN] Template with variable in URL attribute context: The
template code generator cannot guarantee HTML-safety of the template
-- please inspect manually or use SafeUri to specify arguments in a
URL attribute context
Using this code template
interface Template extends SafeHtmlTemplates {
@Template("<img src=\"{0}\"/>")
SafeHtml img(String url);
}
What's the right way to make this HTML safe? The url string is
provided by the application not end users of the application. However
I'd like to not have build warnings of this type.
-Dave
Jens
Mar 20, 2012, 4:53:11 PM3/20/12
to google-we...@googlegroups.com
You should use GWT's UriUtils to construct a SafeUri and your template method should then take a SafeUri as parameter instead of a string.
-- J.
dhoffer
Mar 21, 2012, 11:15:10 AM3/21/12
to Google Web Toolkit
I have a few questions about this.
If I change to:
interface Template extends SafeHtmlTemplates {
@Template("<img src=\"{0}\"/>")
SafeHtml img(SafeUri safeUri);
}
1. How does the template know to call asString() on the safeUri
instance?
2. With this change I now have the same problem but in the SafeUri
implementation. How do I take a URL variable and sanitize it so it's
safe? Or because these URL's come from the server can I just declare
them safe by convention.
3. How do I get rid of the compiler warning? Once I've manually made
these safe is there a way to annotate the @Template usage so the
compiler knows it's safe?
Thanks,
-Dave
If I change to:
interface Template extends SafeHtmlTemplates {
@Template("<img src=\"{0}\"/>")
}
1. How does the template know to call asString() on the safeUri
instance?
2. With this change I now have the same problem but in the SafeUri
implementation. How do I take a URL variable and sanitize it so it's
safe? Or because these URL's come from the server can I just declare
them safe by convention.
3. How do I get rid of the compiler warning? Once I've manually made
these safe is there a way to annotate the @Template usage so the
compiler knows it's safe?
Thanks,
-Dave
Thomas Broyer
Mar 21, 2012, 11:48:08 AM3/21/12
to google-we...@googlegroups.com
On Wednesday, March 21, 2012 4:15:10 PM UTC+1, dhoffer wrote:
I have a few questions about this.
If I change to:
interface Template extends SafeHtmlTemplates {
@Template("<img src=\"{0}\"/>")
SafeHtml img(SafeUri safeUri);
}
1. How does the template know to call asString() on the safeUri
instance?
SafeHtmlTemplates knows about SafeUri (remember the warning it outputs when you use String? ;-) )
2. With this change I now have the same problem but in the SafeUri
implementation. How do I take a URL variable and sanitize it so it's
safe?
UriUtils.fromString()
Or because these URL's come from the server can I just declare
them safe by convention.
No. Only those URLs that are hard-coded in your client-side app can be trusted.
3. How do I get rid of the compiler warning? Once I've manually made
these safe is there a way to annotate the @Template usage so the
compiler knows it's safe?
The only way to shut the generator up is to use SafeUri and SafeStyles when it tells you to do so.
dhoffer
Mar 23, 2012, 4:42:05 PM3/23/12
to Google Web Toolkit
Okay that makes sense, thanks for the help!
-Dave
On Mar 21, 9:48 am, Thomas Broyer <t.bro...@gmail.com> wrote:
> On Wednesday, March 21, 2012 4:15:10 PM UTC+1, dhoffer wrote:
>
> > I have a few questions about this.
>
> > If I change to:
>
> > interface Template extends SafeHtmlTemplates {
> > @Template("<img src=\"{0}\"/>")
> > SafeHtml img(SafeUri safeUri);
> > }
>
> > 1. How does the template know to call asString() on the safeUri
> > instance?
>
> SafeHtmlTemplates knows about SafeUri (remember the warning it outputs when
> you use String? ;-) )
>
> > 2. With this change I now have the same problem but in the SafeUri
> > implementation. How do I take a URL variable and sanitize it so it's
> > safe?
>
> UriUtils.fromString()http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/googl...)
-Dave
On Mar 21, 9:48 am, Thomas Broyer <t.bro...@gmail.com> wrote:
> On Wednesday, March 21, 2012 4:15:10 PM UTC+1, dhoffer wrote:
>
> > I have a few questions about this.
>
> > If I change to:
>
> > interface Template extends SafeHtmlTemplates {
> > @Template("<img src=\"{0}\"/>")
> > SafeHtml img(SafeUri safeUri);
> > }
>
> > 1. How does the template know to call asString() on the safeUri
> > instance?
>
> SafeHtmlTemplates knows about SafeUri (remember the warning it outputs when
> you use String? ;-) )
>
> > 2. With this change I now have the same problem but in the SafeUri
> > implementation. How do I take a URL variable and sanitize it so it's
> > safe?
>
tong123123
Jun 14, 2012, 11:28:54 PM6/14/12
to google-we...@googlegroups.com
I found in gwt 2.4, the ImageCell Class is
interface Template extends SafeHtmlTemplates{
@Template ("<img src=\"{0}\"/>">
SafeHtml img(String url);
}
so it will rise the warning
"Template with variable in URL attribute context:The template code generator cannot guarantee HTML-safety of the temp;ate --........"
so to eliminate this warning, need extend the GWT 2.4 ImageCell Class?
interface Template extends SafeHtmlTemplates{
@Template ("<img src=\"{0}\"/>">
SafeHtml img(String url);
}
so it will rise the warning
"Template with variable in URL attribute context:The template code generator cannot guarantee HTML-safety of the temp;ate --........"
so to eliminate this warning, need extend the GWT 2.4 ImageCell Class?
Thomas Broyer
Jun 15, 2012, 4:13:51 AM6/15/12
to google-we...@googlegroups.com
GWT 2.5 will add a SafeImageCell based on SafeUri, so I'd advise you to just wait for 2.5 and switch to SafeImageCell (using UriUtils to build a SafeUri out of a String), or possibly copy SafeImageCell in your project to start using it now.
Reply all
Reply to author
Forward
0 new messages