public final class SafeHtmlBuilder extends Object
StringBuilder
; unlike a
StringBuilder
, it automatically HTML-escapes appended input where
necessary.
In addition, it supports methods that allow strings with HTML markup to be
appended without escaping: One can append other SafeHtml
objects, and
one can append constant strings. The method that appends constant strings
(appendHtmlConstant(String)
) requires a convention of use to be
adhered to in order for this class to adhere to the contract required by
SafeHtml
: The argument expression must be fully determined and known
to be safe at compile time, and the value of the argument must not contain
incomplete HTML tags. See appendHtmlConstant(String)
for details.
The accumulated XSS-safe HTML can be obtained in the form of a
SafeHtml
via the toSafeHtml()
method.
This class is not thread-safe.
Constructor and Description |
---|
SafeHtmlBuilder()
Constructs an empty SafeHtmlBuilder.
|
Modifier and Type | Method and Description |
---|---|
SafeHtmlBuilder |
append(boolean b)
Appends the string representation of a boolean.
|
SafeHtmlBuilder |
append(byte num)
Appends the string representation of a number.
|
SafeHtmlBuilder |
append(char c)
Appends the string representation of a char.
|
SafeHtmlBuilder |
append(double num)
Appends the string representation of a number.
|
SafeHtmlBuilder |
append(float num)
Appends the string representation of a number.
|
SafeHtmlBuilder |
append(int num)
Appends the string representation of a number.
|
SafeHtmlBuilder |
append(long num)
Appends the string representation of a number.
|
SafeHtmlBuilder |
append(SafeHtml html)
Appends the contents of another
SafeHtml object, without applying
HTML-escaping to it. |
SafeHtmlBuilder |
appendEscaped(String text)
Appends a string after HTML-escaping it.
|
SafeHtmlBuilder |
appendEscapedLines(String text)
Appends a string consisting of several newline-separated lines after
HTML-escaping it.
|
SafeHtmlBuilder |
appendHtmlConstant(String html)
Appends a compile-time-constant string, which will not be escaped.
|
SafeHtml |
toSafeHtml()
Returns the safe HTML accumulated in the builder as a
SafeHtml . |
public SafeHtmlBuilder append(boolean b)
b
- the boolean whose string representation to appendpublic SafeHtmlBuilder append(byte num)
num
- the number whose string representation to appendpublic SafeHtmlBuilder append(char c)
c
- the character whose string representation to appendSafeHtmlUtils.htmlEscape(char)
public SafeHtmlBuilder append(double num)
num
- the number whose string representation to appendpublic SafeHtmlBuilder append(float num)
num
- the number whose string representation to appendpublic SafeHtmlBuilder append(int num)
num
- the number whose string representation to appendpublic SafeHtmlBuilder append(long num)
num
- the number whose string representation to appendpublic SafeHtmlBuilder append(SafeHtml html)
SafeHtml
object, without applying
HTML-escaping to it.html
- the SafeHtml
to appendpublic SafeHtmlBuilder appendEscaped(String text)
text
- the string to appendSafeHtmlUtils.htmlEscape(String)
public SafeHtmlBuilder appendEscapedLines(String text)
<br>
tags.text
- the string to appendSafeHtmlUtils.htmlEscape(String)
public SafeHtmlBuilder appendHtmlConstant(String html)
Important: For this class to be able to honor its contract as
required by SafeHtml
, all uses of this method must satisfy the
following constraints:
<a>
tag is incomplete:
shb.appendHtmlConstant("<a href='").append(url)
The first constraint provides a sufficient condition that the appended
string (and any HTML markup contained in it) originates from a trusted
source. The second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server-side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
SafeHtmlHostedModeUtils.maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in prod mode
on the client, and with assertions disabled on the server.
html
- the HTML snippet to be appendedIllegalArgumentException
- if not running in prod mode and html
violates the second constraintCopyright © 2016. All rights reserved.