goog.html.SafeScript

A string-like object which represents JavaScript code and that carries the security type contract that its value, as a string, will not cause execution of unconstrained attacker controlled code (XSS) when evaluated as JavaScript in a browser.

Instances of this type must be created via the factory method SafeScript.fromConstant and not by invoking its constructor. The constructor intentionally takes an extra parameter that cannot be constructed outside of this file and the type is immutable; hence only a default instance corresponding to the empty string can be obtained via constructor invocation.

A SafeScript's string representation can safely be interpolated as the content of a script element within HTML. The SafeScript string should not be escaped before interpolation.

Note that the SafeScript might contain text that is attacker-controlled but that text should have been interpolated with appropriate escaping, sanitization and/or validation into the right location in the script, such that it is highly constrained in its effect (for example, it had to match a set of whitelisted words).

A SafeScript can be constructed via security-reviewed unchecked conversions. In this case producers of SafeScript must ensure themselves that the SafeScript does not contain unsafe script. Note in particular that < is dangerous, even when inside JavaScript strings, and so should always be forbidden or JavaScript escaped in user controlled input. For example, if </script><script>evil</script>" were interpolated inside a JavaScript string, it would break out of the context of the original script element and evil would execute. Also note that within an HTML script (raw text) element, HTML character references, such as "<" are not allowed. See http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements. Creating SafeScript objects HAS SIDE-EFFECTS due to calling Trusted Types Web API.

new SafeScript( arg0, arg1 )