gwt /
gwt /
d59523d4003d61789b0d8ae43919f9c96ccc7c20 Adding convenience methods to SafeStylesUtils and SafeStylesBuilder for style properties supported by Style. For most properies, the name is defined in SafeStylesUtils, and the value comes from an enum in Style or a primitive type, so we know that the combination of the name and value produces a string that satisfies the constraints of SafeStyles.
For properties that take open ended strings, such as "background-image" and "color", the method is prefixed with "Trusted" and JavaDoc'd, putting the burden on the user to ensure that the value is a trusted value. For example, SafeStylesUtils#forTrustedColor() and SafeStylesBuilder#appendTrustedColor(). It would be very difficult to guarentee that a string is safe. Unlike HTML where you can escape the brackets, style attribute XSS vulnerabilities are subtle, especially in older versions of IE where the "expression()" CSS value can execute arbitrary javascript. So, instead of trying to provide a sanitizing method, its up to the user to ensure the string is safe. Also added the methods fromTrustedNameAndValue(), which are escape hatches for create a SafeStyles from any trusted name and value pair.
The generic methods in SafeStyles are prefixes with "from", as in fromTrustedNameAndValue/fromTrustedString. The property specific methods are prefixed with "for", as in forPaddingTop/forZIndex. There isn't some underlying reason for this, it just sounded better to me.
Review at http://gwt-code-reviews.appspot.com/1454808
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@10356 8db76d5a-ed1c-0410-87a9-c151d255dfc7
17 files changed
