Inline javascript:'' within NamedFrame's internal SafeHtmlTemplate
This prevents the URI from being sanitized by the SafeHtmlTemplates
generator. This is a regression from GWT 2.4, introduced at r10801.
Fixes issue 7909
Change-Id: Ic96c36b3f98705fff8a7638c8975901c50856951
Review-Link: https://gwt-review.googlesource.com/#/c/1800/
Review by: goktug@google.com
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@11473 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/user/src/com/google/gwt/user/client/ui/NamedFrame.java b/user/src/com/google/gwt/user/client/ui/NamedFrame.java
index 9fe635b..fb65033 100644
--- a/user/src/com/google/gwt/user/client/ui/NamedFrame.java
+++ b/user/src/com/google/gwt/user/client/ui/NamedFrame.java
@@ -38,8 +38,10 @@
interface IFrameTemplate extends SafeHtmlTemplates {
static final IFrameTemplate INSTANCE = GWT.create(IFrameTemplate.class);
- @Template("<iframe src='{0}' name='{1}'>")
- SafeHtml get(String src, String name);
+ // Setting a src prevents mixed-content warnings.
+ // http://weblogs.asp.net/bleroy/archive/2005/08/09/how-to-put-a-div-over-a-select-in-ie.aspx
+ @Template("<iframe src=\"javascript:''\" name='{0}'>")
+ SafeHtml get(String name);
}
// Used inside JSNI, so please don't delete this field just because
@@ -53,9 +55,8 @@
}
/**
- * Creates an HTML IFRAME element with a src and name.
+ * Creates an HTML IFRAME element with a name.
*
- * @param src the src of the frame
* @param name the name of the frame, which must contain at least one
* non-whitespace character and must not contain reserved HTML markup
* characters such as '<code><</code>', '<code>></code>',
@@ -63,7 +64,7 @@
* @return the newly-created element
* @throws IllegalArgumentException if the supplied name is not allowed
*/
- private static IFrameElement createIFrame(String src, String name) {
+ private static IFrameElement createIFrame(String name) {
if (name == null || !isValidName(name.trim())) {
throw new IllegalArgumentException(
"expecting one or more non-whitespace chars with no '<', '>', or '&'");
@@ -72,7 +73,7 @@
// Use innerHTML to implicitly create the <iframe>. This is necessary
// because most browsers will not respect a dynamically-set iframe name.
Element div = DOM.createDiv();
- div.setInnerSafeHtml(IFrameTemplate.INSTANCE.get(src, name));
+ div.setInnerSafeHtml(IFrameTemplate.INSTANCE.get(name));
return div.getFirstChild().cast();
}
@@ -101,9 +102,7 @@
*/
@UiConstructor
public NamedFrame(String name) {
- // Setting a src prevents mixed-content warnings.
- // http://weblogs.asp.net/bleroy/archive/2005/08/09/how-to-put-a-div-over-a-select-in-ie.aspx
- super(createIFrame("javascript:''", name));
+ super(createIFrame(name));
setStyleName(DEFAULT_STYLENAME);
}
diff --git a/user/test/com/google/gwt/user/client/ui/NamedFrameTest.java b/user/test/com/google/gwt/user/client/ui/NamedFrameTest.java
index d25665c..ff54a362 100644
--- a/user/test/com/google/gwt/user/client/ui/NamedFrameTest.java
+++ b/user/test/com/google/gwt/user/client/ui/NamedFrameTest.java
@@ -76,4 +76,8 @@
// Success
}
}
+
+ public void testDefaultSrc() {
+ assertEquals("javascript:''", new NamedFrame("defaultSrc").getUrl());
+ }
}
