public static class SafeStyles extends Object
style
element, or inside the style
attribute of a DOM
element.
Note on usage: SafeStyles
should be used to ensure user input is not
executed in the browser. SafeStyles
should not be used to sanitize
input before sending it to the server: The server cannot rely on the type
contract of SafeStyles
values received from clients, because a
malicious client could provide maliciously crafted serialized forms of
implementations of this type that violate the type contract.
All implementing classes must maintain the class invariant (by design and
implementation and/or convention of use), that invoking #asString()
on any instance will return a string that is safe to assign to a CSS
attribute in a browser, in the sense that doing so must not cause execution
of script in the browser. Generally, SafeStyles
should be of the form
cssPropertyName:value;
, where neither the name nor the value contain
malicious scripts.
SafeStyles
may never contain literal angle brackets. Otherwise, it
could be unsafe to place a SafeStyles
into a <style> tag (where
it can't be HTML escaped). For example, if the SafeStyles
containing
"font: 'foo <style><script>evil</script>
'" is
used in a style sheet in a <style> tag, this could then break out of
the style context into HTML.
SafeStyles
may contain literal single or double quotes, and as such
the entire style string must be escaped when used in a style attribute (if
this were not the case, the string could contain a matching quote that would
escape from the style attribute).
Furthermore, values of this type must be composable, i.e. for any two values
A
and B
of this type, A.asString() + B.asString()
must itself be a value that satisfies the SafeStyles
type constraint.
This requirement implies that for any value A
of this type,
A.asString()
must not end in a "CSS value" or "CSS name" context. For
example, a value of background:url("
or font-
would not
satisfy the SafeStyles
contract. This is because concatenating such
strings with a second value that itself does not contain unsafe CSS can
result in an overall string that does. For example, if
javascript:evil())"
is appended to background:url("
, the
resulting string may result in the execution of a malicious script.
The following example values comply with this type's contract:
width: 1em;
height:1em;
width: 1em;height: 1em;
background:url('http://url');
The following example values do not comply with this type's contract:
background: red
(missing a trailing semi-colon)background:
(missing a value and a trailing semi-colon)1em
(missing an attribute name, which provides context for the value)All implementations must implement equals() and hashCode() to behave consistently with the result of asString().equals() and asString.hashCode().
Implementations must not return null
from #asString()
.
Copyright © 2018. All rights reserved.