goog.html.SafeStyle
| Module ID | |
|---|---|
| All Implemented Interfaces |
A string-like object which represents a sequence of CSS declarations
(propertyName1: propertyvalue1; propertyName2: propertyValue2; ...)
and that carries the security type contract that its value, as a string,
will not cause untrusted script execution (XSS) when evaluated as CSS in a
browser.
Instances of this type must be created via the factory methods
(SafeStyle.create or SafeStyle.fromConstant)
and not by invoking its constructor. The constructor intentionally takes an
extra parameter that cannot be constructed outside of this file and the type
is immutable; hence only a default instance corresponding to the empty string
can be obtained via constructor invocation.
SafeStyle's string representation can safely be:
- Interpolated as the content of a *quoted* HTML style attribute. However, the SafeStyle string *must be HTML-attribute-escaped* before interpolation.
- Interpolated as the content of a {}-wrapped block within a stylesheet. '<' characters in the SafeStyle string *must be CSS-escaped* before interpolation. The SafeStyle string is also guaranteed not to be able to introduce new properties or elide existing ones.
- Interpolated as the content of a {}-wrapped block within an HTML <style> element. '<' characters in the SafeStyle string * must be CSS-escaped* before interpolation.
- Assigned to the style property of a DOM node. The SafeStyle string should not be escaped before being assigned to the property.
A SafeStyle may never contain literal angle brackets. Otherwise, it could
be unsafe to place a SafeStyle into a <style> tag (where it can't
be HTML escaped). For example, if the SafeStyle containing
font: 'foo <style/><script>evil</script>' were
interpolated within a <style> tag, this would then break out of the
style context into HTML.
A SafeStyle may contain literal single or double quotes, and as such the entire style string must be escaped when used in a style attribute (if this were not the case, the string could contain a matching quote that would escape from the style attribute).
Values of this type must be composable, i.e. for any two values
style1 and style2 of this type,
SafeStyle.unwrap(style1) + SafeStyle.unwrap(style2) must itself be a value that satisfies
the SafeStyle type constraint. This requirement implies that for any value
style of this type, SafeStyle.unwrap(style) must
not end in a "property value" or "property name" context. For example,
a value of background:url(" or font- would not satisfy the
SafeStyle contract. This is because concatenating such strings with a
second value that itself does not contain unsafe CSS can result in an
overall string that does. For example, if javascript:evil())" is
appended to `background:url("}, the resulting string may result in
the execution of a malicious script.
TODO(mlourenco): Consider whether we should implement UTF-8 interchange validity checks and blacklisting of newlines (including Unicode ones) and other whitespace characters (\t, \f). Document here if so and also update SafeStyle.fromConstant().
The following example values comply with this type's contract:
width: 1em;
height:1em;
width: 1em;height: 1em;
background:url('http://url');
The following example values do NOT comply with this type's contract:
background: red
(missing a trailing semi-colon)background:
(missing a value and a trailing semi-colon)1em
(missing an attribute name, which provides context for the value)
new SafeStyle( arg0, arg1 )
| Parameters |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| See Also | |||||||||