goog.html.SafeStyleSheet

A string-like object which represents a CSS style sheet and that carries the security type contract that its value, as a string, will not cause untrusted script execution (XSS) when evaluated as CSS in a browser.

Instances of this type must be created via the factory method SafeStyleSheet.fromConstant and not by invoking its constructor. The constructor intentionally takes an extra parameter that cannot be constructed outside of this file and the type is immutable; hence only a default instance corresponding to the empty string can be obtained via constructor invocation.

A SafeStyleSheet's string representation can safely be interpolated as the content of a style element within HTML. The SafeStyleSheet string should not be escaped before interpolation.

Values of this type must be composable, i.e. for any two values styleSheet1 and styleSheet2 of this type, SafeStyleSheet.unwrap(styleSheet1) + SafeStyleSheet.unwrap(styleSheet2) must itself be a value that satisfies the SafeStyleSheet type constraint. This requirement implies that for any value styleSheet of this type, SafeStyleSheet.unwrap(styleSheet1) must end in "beginning of rule" context.

A SafeStyleSheet can be constructed via security-reviewed unchecked conversions. In this case producers of SafeStyleSheet must ensure themselves that the SafeStyleSheet does not contain unsafe script. Note in particular that < is dangerous, even when inside CSS strings, and so should always be forbidden or CSS-escaped in user controlled input. For example, if </style><script>evil</script>" were interpolated inside a CSS string, it would break out of the context of the original style element and evil would execute. Also note that within an HTML style (raw text) element, HTML character references, such as <, are not allowed. See http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements (similar considerations apply to the style element).

new SafeStyleSheet( arg0, arg1 )