goog.html.SafeHtml
| Module ID | |
|---|---|
| All Implemented Interfaces |
A string that is safe to use in HTML context in DOM APIs and HTML documents.
A SafeHtml is a string-like object that carries the security type contract that its value as a string will not cause untrusted script execution when evaluated as HTML in a browser.
Values of this type are guaranteed to be safe to use in HTML contexts, such as, assignment to the innerHTML DOM property, or interpolation into a HTML template in HTML PC_DATA context, in the sense that the use will not result in a Cross-Site-Scripting vulnerability.
Instances of this type must be created via the factory methods
(SafeHtml.create, SafeHtml.htmlEscape),
etc and not by invoking its constructor. The constructor intentionally takes
an extra parameter that cannot be constructed outside of this file and the
type is immutable; hence only a default instance corresponding to the empty
string can be obtained via constructor invocation.
Creating SafeHtml objects HAS SIDE-EFFECTS due to calling Trusted Types Web API.
Note that there is no SafeHtml.fromConstant. The reason is that
the following code would create an unsafe HTML:
SafeHtml.concat(
SafeHtml.fromConstant(Const.from('<script>')),
SafeHtml.htmlEscape(userInput),
SafeHtml.fromConstant(Const.from('<\/script>')));
There's goog.dom.constHtmlToNode to create a node from constant strings
only.
new SafeHtml( arg0, arg1 )
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| See Also | |||||||||
Instance Methods
this.getTypedStringValue() → string
stringReturns this SafeHtml's value as string.
IMPORTANT: In code where it is security relevant that an object's type is
indeed SafeHtml, use SafeHtml.unwrap instead of
this method. If in doubt, assume that it's security relevant. In
particular, note that goog.html functions which return a goog.html type do
not guarantee that the returned instance is of the right type. For example:
var fakeSafeHtml = new String('fake');
fakeSafeHtml.__proto__ = SafeHtml.prototype;
var newSafeHtml = SafeHtml.htmlEscape(fakeSafeHtml);
// newSafeHtml is just an alias for fakeSafeHtml, it's passed through by
// SafeHtml.htmlEscape() as fakeSafeHtml
// instanceof SafeHtml.
| Specified by | ||
|---|---|---|
| Parameters | None. | |
| Returns |
| |
| See Also |
this.toString() → string
stringReturns a string-representation of this value.
To obtain the actual string value wrapped in a SafeHtml, use
SafeHtml.unwrap.
| Parameters | None. | |
|---|---|---|
| Returns |
| |
| See Also |
Instance Properties
this.implementsGoogStringTypedString → boolean
booleanInterface marker of the TypedString interface.
This property can be used to determine at runtime whether or not an object
implements this interface. All implementations of this interface set this
property to true.
| Specified by |
|---|
Exported Functions
canUseSandboxIframe() → boolean
booleancombineAttributes( fixedAttributes, defaultAttributes, attributes ) → Object<string, (string|number|goog.string.TypedString|Object<string, (string|goog.string.Const|goog.html.SafeUrl|Array<(string|goog.string.Const|goog.html.SafeUrl)>|null)>|null|undefined)>
Object<string, (string|number|goog.string.TypedString|Object<string, (string|goog.string.Const|goog.html.SafeUrl|Array<(string|goog.string.Const|goog.html.SafeUrl)>|null)>|null|undefined)>| Parameters |
| ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||||||
| Throws |
| ||||||||||||
comment( text ) → goog.html.SafeHtml
goog.html.SafeHtmlConverts an arbitrary string into an HTML comment by HTML-escaping the contents and embedding the result between HTML comment markers.
Escaping is needed because Internet Explorer supports conditional comments and so may render HTML markup within comments.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
| ||||
concat( ...var_args ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a new SafeHtml object by concatenating values.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
create( tagName, attributes, content ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml content consisting of a tag with optional attributes and optional content.
For convenience tag names and attribute names are accepted as regular strings, instead of Const. Nevertheless, you should not pass user-controlled values to these parameters. Note that these parameters are syntactically validated at runtime, and invalid values will result in an exception.
Example usage:
SafeHtml.create('br'); SafeHtml.create('div', {'class': 'a'}); SafeHtml.create('p', {}, 'a'); SafeHtml.create('p', {}, SafeHtml.create('br'));
SafeHtml.create('span', { 'style': {'margin': '0'} });
To guarantee SafeHtml's type contract is upheld there are restrictions on attribute values and tag names.
- For attributes which contain script code (on*), a Const is required.
- For attributes which contain style (style), a SafeStyle or a SafeStyle.PropertyMap is required.
- For attributes which are interpreted as URLs (e.g. src, href) a SafeUrl, Const or string is required. If a string is passed, it will be sanitized with SafeUrl.sanitize().
- For tags which can load code or set security relevant page metadata, more specific SafeHtml.create*() functions must be used. Tags which are not supported by this function are applet, base, embed, iframe, link, math, meta, object, script, style, svg, and template.
| warning Deprecated | Use a recommended templating system like Lit instead. More information: go/goog.html-readme // LINE-INTERNAL |
|---|
| Parameters |
| ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||||||
| Throws |
|
createIframe( src, srcdoc, attributes, content ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing an iframe tag.
This by default restricts the iframe as much as possible by setting the sandbox attribute to the empty string. If the iframe requires less restrictions, set the sandbox attribute as tight as possible, but do not rely on the sandbox as a security feature because it is not supported by older browsers. If a sandbox is essential to security (e.g. for third-party frames), use createSandboxIframe which checks for browser support.
| Parameters |
| ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||||||||||
| Throws |
| ||||||||||||||||
| See Also | https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox |
createMetaRefresh( url, secs ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing a meta refresh tag.
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
|
createSafeHtmlSecurityPrivateDoNotAccessOrElse( html ) → goog.html.SafeHtml
goog.html.SafeHtmlPackage-internal utility method to create SafeHtml instances.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( tagName, attributes, content ) → goog.html.SafeHtml
goog.html.SafeHtmlLike create() but does not restrict which tags can be constructed.
| Parameters |
| ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||||||
| Throws |
| ||||||||||||
createSandboxIframe( src, srcdoc, attributes, content ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing a sandboxed iframe tag.
The sandbox attribute is enforced in its most restrictive mode, an empty string. Consequently, the security requirements for the src and srcdoc attributes are relaxed compared to SafeHtml.createIframe. This function will throw on browsers that do not support the sandbox attribute, as determined by SafeHtml.canUseSandboxIframe.
The SafeHtml returned by this function can trigger downloads with no user interaction on Chrome (though only a few, further attempts are blocked). Firefox and IE will block all downloads from the sandbox.
| Parameters |
| ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||||||||||
| Throws |
| ||||||||||||||||
| See Also | https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox https://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0112.html |
createScript( script, attributes ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing a script tag. Does not allow the language, src, text or type attributes to be set.
| warning Deprecated | Use safevalues.scriptToHtml instead. |
|---|
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||
| Throws |
|
createScriptSrc( src, attributes ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing a script tag with the src attribute.
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||
| Throws |
|
createStyle( styleSheet, attributes ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a SafeHtml representing a style tag. The type attribute is set to "text/css".
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||
| Throws |
|
from( textOrHtml ) → goog.html.SafeHtml
goog.html.SafeHtmlCoerces an arbitrary object into a SafeHtml object.
If textOrHtml is already of type SafeHtml, the same
object is returned. Otherwise, textOrHtml is coerced to string, and
HTML-escaped.
| warning Deprecated | Use SafeHtml.htmlEscape. |
|---|
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
htmlEscape( textOrHtml ) → goog.html.SafeHtml
goog.html.SafeHtmlReturns HTML-escaped text as a SafeHtml object.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
htmlEscapePreservingNewlines( textOrHtml ) → goog.html.SafeHtml
goog.html.SafeHtmlReturns HTML-escaped text as a SafeHtml object, with newlines changed to <br>.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
htmlEscapePreservingNewlinesAndSpaces( textOrHtml ) → goog.html.SafeHtml
goog.html.SafeHtmlReturns HTML-escaped text as a SafeHtml object, with newlines changed to <br> and escaping whitespace to preserve spatial formatting. Character entity #160 is used to make it safer for XML.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
join( separator, parts ) → goog.html.SafeHtml
goog.html.SafeHtmlCreates a new SafeHtml object by joining the parts with separator.
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||
stringifyAttributes( tagName, attributes ) → string
stringCreates a string with attributes to insert after tagName.
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Returns |
| ||||||||
| Throws |
| ||||||||
unwrap( safeHtml ) → string
stringPerforms a runtime check that the provided object is indeed a SafeHtml object, and returns its value.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
|
unwrapTrustedHTML( safeHtml ) → (TrustedHTML|string)
(TrustedHTML|string)Unwraps value as TrustedHTML if supported or as a string if not.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Returns |
| ||||
| See Also | |||||
verifyTagName( tagName ) → void
voidVerifies if the tag name is valid and if it doesn't change the context. E.g. STRONG is fine but SCRIPT throws because it changes context. See SafeHtml.create for an explanation of allowed tags.
| Parameters |
| ||||
|---|---|---|---|---|---|
| Throws |
| ||||
Exported Properties
AttributeValue → (string|number|goog.string.TypedString|Object<string, (string|goog.string.Const|goog.html.SafeUrl|Array<(string|goog.string.Const|goog.html.SafeUrl)>|null)>|null|undefined)
(string|number|goog.string.TypedString|Object<string, (string|goog.string.Const|goog.html.SafeUrl|Array<(string|goog.string.Const|goog.html.SafeUrl)>|null)>|null|undefined)No information.
BR → goog.html.SafeHtml
goog.html.SafeHtmlA SafeHtml instance corresponding to the
tag.
DOCTYPE_HTML → goog.html.SafeHtml
goog.html.SafeHtmlA SafeHtml instance corresponding to the HTML doctype: "".
EMPTY → goog.html.SafeHtml
goog.html.SafeHtmlA SafeHtml instance corresponding to the empty string.
Compiler Constants
goog.html.SafeHtml.ENABLE_ERROR_MESSAGES → boolean
booleanWhether to strip out error messages or to leave them in.
goog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE → boolean
booleanWhether the style attribute is supported. Set to false to avoid the byte
weight of SafeStyle where unneeded. An error will be thrown if
the style attribute is used.