public final class SafeHtmlUtils extends Object
Modifier and Type | Field and Description |
---|---|
static SafeHtml |
EMPTY_SAFE_HTML
An empty String.
|
Modifier and Type | Method and Description |
---|---|
static SafeHtml |
fromSafeConstant(String s)
Returns a
SafeHtml constructed from a safe string, i.e., without escaping
the string. |
static SafeHtml |
fromString(String s)
Returns a
SafeHtml containing the escaped string. |
static SafeHtml |
fromTrustedString(String s)
Returns a
SafeHtml constructed from a trusted string, i.e., without
escaping the string. |
static String |
htmlEscape(char c)
HTML-escapes a character.
|
static String |
htmlEscape(String s)
HTML-escapes a string.
|
static String |
htmlEscapeAllowEntities(String text)
HTML-escapes a string, but does not double-escape HTML-entities already
present in the string.
|
public static final SafeHtml EMPTY_SAFE_HTML
public static SafeHtml fromSafeConstant(String s)
SafeHtml
constructed from a safe string, i.e., without escaping
the string.
Important: For this method to be able to honor the SafeHtml
contract, all uses of this method must satisfy the following constraints:
<a>
tag is incomplete:
shb.appendHtmlConstant("<a href='").append(url)
The first constraint provides a sufficient condition that the argument (and
any HTML markup contained in it) originates from a trusted source. The
second constraint ensures the composability of SafeHtml
values.
When executing client-side in Development Mode, or server-side with
assertions enabled, the argument is HTML-parsed and validated to satisfy
the second constraint (the server-side check can also be enabled
programmatically, see
SafeHtmlHostedModeUtils.maybeCheckCompleteHtml(String)
for
details). For performance reasons, this check is not performed in
Production Mode on the client, and with assertions disabled on the server.
s
- the string to be wrapped as a SafeHtml
s
, wrapped as a SafeHtml
IllegalArgumentException
- if not running in Production Mode and
html
violates the second constraintpublic static SafeHtml fromString(String s)
SafeHtml
containing the escaped string.s
- the input StringSafeHtml
instancepublic static SafeHtml fromTrustedString(String s)
SafeHtml
constructed from a trusted string, i.e., without
escaping the string. No checks are performed. The calling code should be
carefully reviewed to ensure the argument meets the SafeHtml
contract.s
- the input StringSafeHtml
instancepublic static String htmlEscape(char c)
& - & < - < > - > " - " ' - '
c
- the character to be escapedpublic static String htmlEscape(String s)
Note: The following variants of this function were profiled on FF40, Chrome44, Safari 8 and IE11:
For all browsers #4 was found to be the fastest, and is used below.
The only out-lier was firefox with #6 being the optimal option, but #6 performs considerably worse in all other browsers.
s
- the string to be escapedpublic static String htmlEscapeAllowEntities(String text)
text
- the string to be escapedCopyright © 2018. All rights reserved.