goog.dom.safe

Safely assigns the URL of a Location object.

If url is of type goog.html.SafeUrl, its value is unwrapped and passed to Location#assign. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.assignLocation(document.location, newUrl); which is a safe alternative to document.location.assign(newUrl); The latter can result in XSS vulnerabilities if newUrl is a user-/attacker-controlled value.

This has the same behaviour as setLocationHref, however some test mock Location.assign instead of a property assignment.

Creates a DocumentFragment by parsing html in the context of a Range.

Safely creates an HTMLImageElement from a Blob.

Example usage: goog.dom.safe.createImageFromBlob(blob); which is a safe alternative to image.src = createObjectUrl(blob) The latter can result in executing malicious same-origin scripts from a bad Blob.

Writes known-safe HTML to a document.

Returns CSP script nonce, if set for any

Returns CSP style nonce, if set for any

Inserts known-safe HTML into a Node, at the specified position.

Safely opens a URL in a new window (via window.open).

If url is of type goog.html.SafeUrl, its value is unwrapped and passed in to window.open. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Note that this function does not prevent leakages via the referer that is sent by window.open. It is advised to only use this to open 1st party URLs.

Example usage: goog.dom.safe.openInWindow(url); which is a safe alternative to window.open(url); The latter can result in XSS vulnerabilities if url is a user-/attacker-controlled value.

Parses the string.

Parses the HTML as 'text/html'.

Safely replaces the URL of a Location object.

If url is of type goog.html.SafeUrl, its value is unwrapped and passed to Location#replace. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.replaceLocation(document.location, newUrl); which is a safe alternative to document.location.replace(newUrl); The latter can result in XSS vulnerabilities if newUrl is a user-/attacker-controlled value.

Safely assigns a URL to an anchor element's href property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to anchor's href property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.setAnchorHref(anchorEl, url); which is a safe alternative to anchorEl.href = url; The latter can result in XSS vulnerabilities if url is a user-/attacker-controlled value.

Safely assigns a URL to a audio element's src property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to audio's src property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Safely assigns a URL to a button element's formaction property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to button's formaction property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.setButtonFormAction(buttonEl, url); which is a safe alternative to buttonEl.action = url; The latter can result in XSS vulnerabilities if url is a user-/attacker-controlled value.

Safely assigns a URL to an embed element's src property.

Example usage: goog.dom.safe.setEmbedSrc(embedEl, url); which is a safe alternative to embedEl.src = url; The latter can result in loading untrusted code unless it is ensured that the URL refers to a trustworthy resource.

Safely assigns a URL a form element's action property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to form's action property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.setFormElementAction(formEl, url); which is a safe alternative to formEl.action = url; The latter can result in XSS vulnerabilities if url is a user-/attacker-controlled value.

Safely assigns a URL to a frame element's src property.

Example usage: goog.dom.safe.setFrameSrc(frameEl, url); which is a safe alternative to frameEl.src = url; The latter can result in loading untrusted code unless it is ensured that the URL refers to a trustworthy resource.

Safely assigns a URL to an iframe element's src property.

Example usage: goog.dom.safe.setIframeSrc(iframeEl, url); which is a safe alternative to iframeEl.src = url; The latter can result in loading untrusted code unless it is ensured that the URL refers to a trustworthy resource.

Safely assigns HTML to an iframe element's srcdoc property.

Example usage: goog.dom.safe.setIframeSrcdoc(iframeEl, safeHtml); which is a safe alternative to iframeEl.srcdoc = html; The latter can result in loading untrusted code.

Assigns known-safe HTML to an element's innerHTML property.

Assigns constant HTML to an element's innerHTML property.

Safely assigns a URL to an input element's formaction property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to input's formaction property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.setInputFormAction(inputEl, url); which is a safe alternative to inputEl.action = url; The latter can result in XSS vulnerabilities if url is a user-/attacker-controlled value.

Safely sets a link element's href and rel properties. Whether or not the URL assigned to href has to be a goog.html.TrustedResourceUrl depends on the value of the rel property. If rel contains "stylesheet" then a TrustedResourceUrl is required.

Example usage: goog.dom.safe.setLinkHrefAndRel(linkEl, url, 'stylesheet'); which is a safe alternative to linkEl.rel = 'stylesheet'; linkEl.href = url; The latter can result in loading untrusted code unless it is ensured that the URL refers to a trustworthy resource.

Safely assigns a URL to a Location object's href property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to loc's href property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Example usage: goog.dom.safe.setLocationHref(document.location, redirectUrl); which is a safe alternative to document.location.href = redirectUrl; The latter can result in XSS vulnerabilities if redirectUrl is a user-/attacker-controlled value.

Safely assigns a URL to an object element's data property.

Example usage: goog.dom.safe.setObjectData(objectEl, url); which is a safe alternative to objectEl.data = url; The latter can result in loading untrusted code unless setit is ensured that the URL refers to a trustworthy resource.

Assigns known-safe HTML to an element's outerHTML property.

Safely assigns a value to a script element's content.

Example usage: goog.dom.safe.setScriptContent(scriptEl, content); which is a safe alternative to scriptEl.text = content; The latter can result in executing untrusted code unless it is ensured that the code is loaded from a trustworthy resource.

Safely assigns a URL to a script element's src property.

Example usage: goog.dom.safe.setScriptSrc(scriptEl, url); which is a safe alternative to scriptEl.src = url; The latter can result in loading untrusted code unless it is ensured that the URL refers to a trustworthy resource.

Sets the given element's style property to the contents of the provided SafeStyle object.

Safely assigns a URL to a video element's src property.

If url is of type goog.html.SafeUrl, its value is unwrapped and assigned to video's src property. If url is of type string however, it is first sanitized using goog.html.SafeUrl.sanitize.

Assigns HTML to an element's innerHTML property. Helper to use only here and in soy.js.