| // Copyright 2013 The Closure Library Authors. All Rights Reserved. |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS-IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| |
| /** |
| * @fileoverview The SafeHtml type and its builders. |
| * |
| * TODO(user): Link to document stating type contract. |
| */ |
| |
| goog.provide('goog.html.SafeHtml'); |
| |
| goog.require('goog.array'); |
| goog.require('goog.asserts'); |
| goog.require('goog.dom.tags'); |
| goog.require('goog.html.SafeStyle'); |
| goog.require('goog.html.SafeStyleSheet'); |
| goog.require('goog.html.SafeUrl'); |
| goog.require('goog.html.TrustedResourceUrl'); |
| goog.require('goog.i18n.bidi.Dir'); |
| goog.require('goog.i18n.bidi.DirectionalString'); |
| goog.require('goog.object'); |
| goog.require('goog.string'); |
| goog.require('goog.string.Const'); |
| goog.require('goog.string.TypedString'); |
| |
| |
| |
| /** |
| * A string that is safe to use in HTML context in DOM APIs and HTML documents. |
| * |
| * A SafeHtml is a string-like object that carries the security type contract |
| * that its value as a string will not cause untrusted script execution when |
| * evaluated as HTML in a browser. |
| * |
| * Values of this type are guaranteed to be safe to use in HTML contexts, |
| * such as, assignment to the innerHTML DOM property, or interpolation into |
| * a HTML template in HTML PC_DATA context, in the sense that the use will not |
| * result in a Cross-Site-Scripting vulnerability. |
| * |
| * Instances of this type must be created via the factory methods |
| * ({@code goog.html.SafeHtml.create}, {@code goog.html.SafeHtml.htmlEscape}), |
| * etc and not by invoking its constructor. The constructor intentionally |
| * takes no parameters and the type is immutable; hence only a default instance |
| * corresponding to the empty string can be obtained via constructor invocation. |
| * |
| * @see goog.html.SafeHtml#create |
| * @see goog.html.SafeHtml#htmlEscape |
| * @constructor |
| * @final |
| * @struct |
| * @implements {goog.i18n.bidi.DirectionalString} |
| * @implements {goog.string.TypedString} |
| */ |
| goog.html.SafeHtml = function() { |
| /** |
| * The contained value of this SafeHtml. The field has a purposely ugly |
| * name to make (non-compiled) code that attempts to directly access this |
| * field stand out. |
| * @private {string} |
| */ |
| this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = ''; |
| |
| /** |
| * A type marker used to implement additional run-time type checking. |
| * @see goog.html.SafeHtml#unwrap |
| * @const |
| * @private |
| */ |
| this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = |
| goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_; |
| |
| /** |
| * This SafeHtml's directionality, or null if unknown. |
| * @private {?goog.i18n.bidi.Dir} |
| */ |
| this.dir_ = null; |
| }; |
| |
| |
| /** |
| * @override |
| * @const |
| */ |
| goog.html.SafeHtml.prototype.implementsGoogI18nBidiDirectionalString = true; |
| |
| |
| /** @override */ |
| goog.html.SafeHtml.prototype.getDirection = function() { |
| return this.dir_; |
| }; |
| |
| |
| /** |
| * @override |
| * @const |
| */ |
| goog.html.SafeHtml.prototype.implementsGoogStringTypedString = true; |
| |
| |
| /** |
| * Returns this SafeHtml's value a string. |
| * |
| * IMPORTANT: In code where it is security relevant that an object's type is |
| * indeed {@code SafeHtml}, use {@code goog.html.SafeHtml.unwrap} instead of |
| * this method. If in doubt, assume that it's security relevant. In particular, |
| * note that goog.html functions which return a goog.html type do not guarantee |
| * that the returned instance is of the right type. For example: |
| * |
| * <pre> |
| * var fakeSafeHtml = new String('fake'); |
| * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype; |
| * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml); |
| * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by |
| * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml |
| * // instanceof goog.html.SafeHtml. |
| * </pre> |
| * |
| * @see goog.html.SafeHtml#unwrap |
| * @override |
| */ |
| goog.html.SafeHtml.prototype.getTypedStringValue = function() { |
| return this.privateDoNotAccessOrElseSafeHtmlWrappedValue_; |
| }; |
| |
| |
| if (goog.DEBUG) { |
| /** |
| * Returns a debug string-representation of this value. |
| * |
| * To obtain the actual string value wrapped in a SafeHtml, use |
| * {@code goog.html.SafeHtml.unwrap}. |
| * |
| * @see goog.html.SafeHtml#unwrap |
| * @override |
| */ |
| goog.html.SafeHtml.prototype.toString = function() { |
| return 'SafeHtml{' + this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ + |
| '}'; |
| }; |
| } |
| |
| |
| /** |
| * Performs a runtime check that the provided object is indeed a SafeHtml |
| * object, and returns its value. |
| * @param {!goog.html.SafeHtml} safeHtml The object to extract from. |
| * @return {string} The SafeHtml object's contained string, unless the run-time |
| * type check fails. In that case, {@code unwrap} returns an innocuous |
| * string, or, if assertions are enabled, throws |
| * {@code goog.asserts.AssertionError}. |
| */ |
| goog.html.SafeHtml.unwrap = function(safeHtml) { |
| // Perform additional run-time type-checking to ensure that safeHtml is indeed |
| // an instance of the expected type. This provides some additional protection |
| // against security bugs due to application code that disables type checks. |
| // Specifically, the following checks are performed: |
| // 1. The object is an instance of the expected type. |
| // 2. The object is not an instance of a subclass. |
| // 3. The object carries a type marker for the expected type. "Faking" an |
| // object requires a reference to the type marker, which has names intended |
| // to stand out in code reviews. |
| if (safeHtml instanceof goog.html.SafeHtml && |
| safeHtml.constructor === goog.html.SafeHtml && |
| safeHtml.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ === |
| goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) { |
| return safeHtml.privateDoNotAccessOrElseSafeHtmlWrappedValue_; |
| } else { |
| goog.asserts.fail('expected object of type SafeHtml, got \'' + |
| safeHtml + '\''); |
| return 'type_error:SafeHtml'; |
| } |
| }; |
| |
| |
| /** |
| * Shorthand for union of types that can sensibly be converted to strings |
| * or might already be SafeHtml (as SafeHtml is a goog.string.TypedString). |
| * @private |
| * @typedef {string|number|boolean|!goog.string.TypedString| |
| * !goog.i18n.bidi.DirectionalString} |
| */ |
| goog.html.SafeHtml.TextOrHtml_; |
| |
| |
| /** |
| * Returns HTML-escaped text as a SafeHtml object. |
| * |
| * If text is of a type that implements |
| * {@code goog.i18n.bidi.DirectionalString}, the directionality of the new |
| * {@code SafeHtml} object is set to {@code text}'s directionality, if known. |
| * Otherwise, the directionality of the resulting SafeHtml is unknown (i.e., |
| * {@code null}). |
| * |
| * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If |
| * the parameter is of type SafeHtml it is returned directly (no escaping |
| * is done). |
| * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml. |
| */ |
| goog.html.SafeHtml.htmlEscape = function(textOrHtml) { |
| if (textOrHtml instanceof goog.html.SafeHtml) { |
| return textOrHtml; |
| } |
| var dir = null; |
| if (textOrHtml.implementsGoogI18nBidiDirectionalString) { |
| dir = textOrHtml.getDirection(); |
| } |
| var textAsString; |
| if (textOrHtml.implementsGoogStringTypedString) { |
| textAsString = textOrHtml.getTypedStringValue(); |
| } else { |
| textAsString = String(textOrHtml); |
| } |
| return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| goog.string.htmlEscape(textAsString), dir); |
| }; |
| |
| |
| /** |
| * Returns HTML-escaped text as a SafeHtml object, with newlines changed to |
| * <br>. |
| * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If |
| * the parameter is of type SafeHtml it is returned directly (no escaping |
| * is done). |
| * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml. |
| */ |
| goog.html.SafeHtml.htmlEscapePreservingNewlines = function(textOrHtml) { |
| if (textOrHtml instanceof goog.html.SafeHtml) { |
| return textOrHtml; |
| } |
| var html = goog.html.SafeHtml.htmlEscape(textOrHtml); |
| return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| goog.string.newLineToBr(goog.html.SafeHtml.unwrap(html)), |
| html.getDirection()); |
| }; |
| |
| |
| /** |
| * Returns HTML-escaped text as a SafeHtml object, with newlines changed to |
| * <br> and escaping whitespace to preserve spatial formatting. Character |
| * entity #160 is used to make it safer for XML. |
| * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If |
| * the parameter is of type SafeHtml it is returned directly (no escaping |
| * is done). |
| * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml. |
| */ |
| goog.html.SafeHtml.htmlEscapePreservingNewlinesAndSpaces = function( |
| textOrHtml) { |
| if (textOrHtml instanceof goog.html.SafeHtml) { |
| return textOrHtml; |
| } |
| var html = goog.html.SafeHtml.htmlEscape(textOrHtml); |
| return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| goog.string.whitespaceEscape(goog.html.SafeHtml.unwrap(html)), |
| html.getDirection()); |
| }; |
| |
| |
| /** |
| * Coerces an arbitrary object into a SafeHtml object. |
| * |
| * If {@code textOrHtml} is already of type {@code goog.html.SafeHtml}, the same |
| * object is returned. Otherwise, {@code textOrHtml} is coerced to string, and |
| * HTML-escaped. If {@code textOrHtml} is of a type that implements |
| * {@code goog.i18n.bidi.DirectionalString}, its directionality, if known, is |
| * preserved. |
| * |
| * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text or SafeHtml to |
| * coerce. |
| * @return {!goog.html.SafeHtml} The resulting SafeHtml object. |
| * @deprecated Use goog.html.SafeHtml.htmlEscape. |
| */ |
| goog.html.SafeHtml.from = goog.html.SafeHtml.htmlEscape; |
| |
| |
| /** |
| * @const |
| * @private |
| */ |
| goog.html.SafeHtml.VALID_NAMES_IN_TAG_ = /^[a-zA-Z0-9-]+$/; |
| |
| |
| /** |
| * Set of attributes containing URL as defined at |
| * http://www.w3.org/TR/html5/index.html#attributes-1. |
| * @private @const {!Object<string,boolean>} |
| */ |
| goog.html.SafeHtml.URL_ATTRIBUTES_ = goog.object.createSet('action', 'cite', |
| 'data', 'formaction', 'href', 'manifest', 'poster', 'src'); |
| |
| |
| /** |
| * Tags which are unsupported via create(). They might be supported via a |
| * tag-specific create method. These are tags which might require a |
| * TrustedResourceUrl in one of their attributes or a restricted type for |
| * their content. |
| * @private @const {!Object<string,boolean>} |
| */ |
| goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet( |
| 'embed', 'iframe', 'link', 'object', 'script', 'style', 'template'); |
| |
| |
| /** |
| * @typedef {string|number|goog.string.TypedString| |
| * goog.html.SafeStyle.PropertyMap} |
| * @private |
| */ |
| goog.html.SafeHtml.AttributeValue_; |
| |
| |
| /** |
| * Creates a SafeHtml content consisting of a tag with optional attributes and |
| * optional content. |
| * |
| * For convenience tag names and attribute names are accepted as regular |
| * strings, instead of goog.string.Const. Nevertheless, you should not pass |
| * user-controlled values to these parameters. Note that these parameters are |
| * syntactically validated at runtime, and invalid values will result in |
| * an exception. |
| * |
| * Example usage: |
| * |
| * goog.html.SafeHtml.create('br'); |
| * goog.html.SafeHtml.create('div', {'class': 'a'}); |
| * goog.html.SafeHtml.create('p', {}, 'a'); |
| * goog.html.SafeHtml.create('p', {}, goog.html.SafeHtml.create('br')); |
| * |
| * goog.html.SafeHtml.create('span', { |
| * 'style': {'margin': '0'} |
| * }); |
| * |
| * To guarantee SafeHtml's type contract is upheld there are restrictions on |
| * attribute values and tag names. |
| * |
| * - For attributes which contain script code (on*), a goog.string.Const is |
| * required. |
| * - For attributes which contain style (style), a goog.html.SafeStyle or a |
| * goog.html.SafeStyle.PropertyMap is required. |
| * - For attributes which are interpreted as URLs (e.g. src, href) a |
| * goog.html.SafeUrl or goog.string.Const is required. |
| * - For tags which can load code, more specific goog.html.SafeHtml.create*() |
| * functions must be used. Tags which can load code and are not supported by |
| * this function are embed, iframe, link, object, script, style, and template. |
| * |
| * @param {string} tagName The name of the tag. Only tag names consisting of |
| * [a-zA-Z0-9-] are allowed. Tag names documented above are disallowed. |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} |
| * opt_attributes Mapping from attribute names to their values. Only |
| * attribute names consisting of [a-zA-Z0-9-] are allowed. Value of null or |
| * undefined causes the attribute to be omitted. |
| * @param {!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to |
| * HTML-escape and put inside the tag. This must be empty for void tags |
| * like <br>. Array elements are concatenated. |
| * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. |
| * @throws {Error} If invalid tag name, attribute name, or attribute value is |
| * provided. |
| * @throws {goog.asserts.AssertionError} If content for void tag is provided. |
| */ |
| goog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) { |
| if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(tagName)) { |
| throw Error('Invalid tag name <' + tagName + '>.'); |
| } |
| if (tagName.toLowerCase() in goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_) { |
| throw Error('Tag name <' + tagName + '> is not allowed for SafeHtml.'); |
| } |
| return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( |
| tagName, opt_attributes, opt_content); |
| }; |
| |
| |
| /** |
| * Creates a SafeHtml representing an iframe tag. |
| * |
| * By default the sandbox attribute is set to an empty value, which is the most |
| * secure option, as it confers the iframe the least privileges. If this |
| * is too restrictive then granting individual privileges is the preferable |
| * option. Unsetting the attribute entirely is the least secure option and |
| * should never be done unless it's stricly necessary. |
| * |
| * @param {goog.html.TrustedResourceUrl=} opt_src The value of the src |
| * attribute. If null or undefined src will not be set. |
| * @param {goog.html.SafeHtml=} opt_srcdoc The value of the srcdoc attribute. |
| * If null or undefined srcdoc will not be set. |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} |
| * opt_attributes Mapping from attribute names to their values. Only |
| * attribute names consisting of [a-zA-Z0-9-] are allowed. Value of null or |
| * undefined causes the attribute to be omitted. |
| * @param {!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to |
| * HTML-escape and put inside the tag. Array elements are concatenated. |
| * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. |
| * @throws {Error} If invalid tag name, attribute name, or attribute value is |
| * provided. If opt_attributes contains the src or srcdoc attributes. |
| */ |
| goog.html.SafeHtml.createIframe = function( |
| opt_src, opt_srcdoc, opt_attributes, opt_content) { |
| var fixedAttributes = {}; |
| fixedAttributes['src'] = opt_src || null; |
| fixedAttributes['srcdoc'] = opt_srcdoc || null; |
| var defaultAttributes = {'sandbox': ''}; |
| var attributes = goog.html.SafeHtml.combineAttributes( |
| fixedAttributes, defaultAttributes, opt_attributes); |
| return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( |
| 'iframe', attributes, opt_content); |
| }; |
| |
| |
| /** |
| * Creates a SafeHtml representing a style tag. The type attribute is set |
| * to "text/css". |
| * @param {!goog.html.SafeStyleSheet|!Array<!goog.html.SafeStyleSheet>} |
| * styleSheet Content to put inside the tag. Array elements are |
| * concatenated. |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} |
| * opt_attributes Mapping from attribute names to their values. Only |
| * attribute names consisting of [a-zA-Z0-9-] are allowed. Value of null or |
| * undefined causes the attribute to be omitted. |
| * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. |
| * @throws {Error} If invalid attribute name or attribute value is provided. If |
| * opt_attributes contains the type attribute. |
| */ |
| goog.html.SafeHtml.createStyle = function(styleSheet, opt_attributes) { |
| var fixedAttributes = {'type': 'text/css'}; |
| var defaultAttributes = {}; |
| var attributes = goog.html.SafeHtml.combineAttributes( |
| fixedAttributes, defaultAttributes, opt_attributes); |
| |
| var content = ''; |
| styleSheet = goog.array.concat(styleSheet); |
| for (var i = 0; i < styleSheet.length; i++) { |
| content += goog.html.SafeStyleSheet.unwrap(styleSheet[i]); |
| } |
| // Convert to SafeHtml so that it's not HTML-escaped. |
| var htmlContent = goog.html.SafeHtml |
| .createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| content, goog.i18n.bidi.Dir.NEUTRAL); |
| return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( |
| 'style', attributes, htmlContent); |
| }; |
| |
| |
| /** |
| * @param {string} tagName The tag name. |
| * @param {string} name The attribute name. |
| * @param {!goog.html.SafeHtml.AttributeValue_} value The attribute value. |
| * @return {string} A "name=value" string. |
| * @throws {Error} If attribute value is unsafe for the given tag and attribute. |
| * @private |
| */ |
| goog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) { |
| // If it's goog.string.Const, allow any valid attribute name. |
| if (value instanceof goog.string.Const) { |
| value = goog.string.Const.unwrap(value); |
| } else if (name.toLowerCase() == 'style') { |
| value = goog.html.SafeHtml.getStyleValue_(value); |
| } else if (/^on/i.test(name)) { |
| // TODO(jakubvrana): Disallow more attributes with a special meaning. |
| throw Error('Attribute "' + name + |
| '" requires goog.string.Const value, "' + value + '" given.'); |
| // URL attributes handled differently accroding to tag. |
| } else if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) { |
| if (value instanceof goog.html.TrustedResourceUrl) { |
| value = goog.html.TrustedResourceUrl.unwrap(value); |
| } else if (value instanceof goog.html.SafeUrl) { |
| value = goog.html.SafeUrl.unwrap(value); |
| } else { |
| // TODO(user): Allow strings and sanitize them automatically, |
| // so that it's consistent with accepting a map directly for "style". |
| throw Error('Attribute "' + name + '" on tag "' + tagName + |
| '" requires goog.html.SafeUrl or goog.string.Const value, "' + |
| value + '" given.'); |
| } |
| } |
| |
| // Accept SafeUrl, TrustedResourceUrl, etc. for attributes which only require |
| // HTML-escaping. |
| if (value.implementsGoogStringTypedString) { |
| // Ok to call getTypedStringValue() since there's no reliance on the type |
| // contract for security here. |
| value = value.getTypedStringValue(); |
| } |
| |
| goog.asserts.assert(goog.isString(value) || goog.isNumber(value), |
| 'String or number value expected, got ' + |
| (typeof value) + ' with value: ' + value); |
| return name + '="' + goog.string.htmlEscape(String(value)) + '"'; |
| }; |
| |
| |
| /** |
| * Gets value allowed in "style" attribute. |
| * @param {goog.html.SafeHtml.AttributeValue_} value It could be SafeStyle or a |
| * map which will be passed to goog.html.SafeStyle.create. |
| * @return {string} Unwrapped value. |
| * @throws {Error} If string value is given. |
| * @private |
| */ |
| goog.html.SafeHtml.getStyleValue_ = function(value) { |
| if (!goog.isObject(value)) { |
| throw Error('The "style" attribute requires goog.html.SafeStyle or map ' + |
| 'of style properties, ' + (typeof value) + ' given: ' + value); |
| } |
| if (!(value instanceof goog.html.SafeStyle)) { |
| // Process the property bag into a style object. |
| value = goog.html.SafeStyle.create(value); |
| } |
| return goog.html.SafeStyle.unwrap(value); |
| }; |
| |
| |
| /** |
| * Creates a SafeHtml content with known directionality consisting of a tag with |
| * optional attributes and optional content. |
| * @param {!goog.i18n.bidi.Dir} dir Directionality. |
| * @param {string} tagName |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} opt_attributes |
| * @param {!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content |
| * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. |
| */ |
| goog.html.SafeHtml.createWithDir = function(dir, tagName, opt_attributes, |
| opt_content) { |
| var html = goog.html.SafeHtml.create(tagName, opt_attributes, opt_content); |
| html.dir_ = dir; |
| return html; |
| }; |
| |
| |
| /** |
| * Creates a new SafeHtml object by concatenating values. |
| * @param {...(!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>)} var_args Values to concatenate. |
| * @return {!goog.html.SafeHtml} |
| */ |
| goog.html.SafeHtml.concat = function(var_args) { |
| var dir = goog.i18n.bidi.Dir.NEUTRAL; |
| var content = ''; |
| |
| /** |
| * @param {!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>} argument |
| */ |
| var addArgument = function(argument) { |
| if (goog.isArray(argument)) { |
| goog.array.forEach(argument, addArgument); |
| } else { |
| var html = goog.html.SafeHtml.htmlEscape(argument); |
| content += goog.html.SafeHtml.unwrap(html); |
| var htmlDir = html.getDirection(); |
| if (dir == goog.i18n.bidi.Dir.NEUTRAL) { |
| dir = htmlDir; |
| } else if (htmlDir != goog.i18n.bidi.Dir.NEUTRAL && dir != htmlDir) { |
| dir = null; |
| } |
| } |
| }; |
| |
| goog.array.forEach(arguments, addArgument); |
| return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| content, dir); |
| }; |
| |
| |
| /** |
| * Creates a new SafeHtml object with known directionality by concatenating the |
| * values. |
| * @param {!goog.i18n.bidi.Dir} dir Directionality. |
| * @param {...(!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>)} var_args Elements of array |
| * arguments would be processed recursively. |
| * @return {!goog.html.SafeHtml} |
| */ |
| goog.html.SafeHtml.concatWithDir = function(dir, var_args) { |
| var html = goog.html.SafeHtml.concat(goog.array.slice(arguments, 1)); |
| html.dir_ = dir; |
| return html; |
| }; |
| |
| |
| /** |
| * Type marker for the SafeHtml type, used to implement additional run-time |
| * type checking. |
| * @const |
| * @private |
| */ |
| goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {}; |
| |
| |
| /** |
| * Package-internal utility method to create SafeHtml instances. |
| * |
| * @param {string} html The string to initialize the SafeHtml object with. |
| * @param {?goog.i18n.bidi.Dir} dir The directionality of the SafeHtml to be |
| * constructed, or null if unknown. |
| * @return {!goog.html.SafeHtml} The initialized SafeHtml object. |
| * @package |
| */ |
| goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse = function( |
| html, dir) { |
| return new goog.html.SafeHtml().initSecurityPrivateDoNotAccessOrElse_( |
| html, dir); |
| }; |
| |
| |
| /** |
| * Called from createSafeHtmlSecurityPrivateDoNotAccessOrElse(). This |
| * method exists only so that the compiler can dead code eliminate static |
| * fields (like EMPTY) when they're not accessed. |
| * @param {string} html |
| * @param {?goog.i18n.bidi.Dir} dir |
| * @return {!goog.html.SafeHtml} |
| * @private |
| */ |
| goog.html.SafeHtml.prototype.initSecurityPrivateDoNotAccessOrElse_ = function( |
| html, dir) { |
| this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = html; |
| this.dir_ = dir; |
| return this; |
| }; |
| |
| |
| /** |
| * Like create() but does not restrict which tags can be constructed. |
| * |
| * @param {string} tagName Tag name. Set or validated by caller. |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} opt_attributes |
| * @param {(!goog.html.SafeHtml.TextOrHtml_| |
| * !Array<!goog.html.SafeHtml.TextOrHtml_>)=} opt_content |
| * @return {!goog.html.SafeHtml} |
| * @throws {Error} If invalid or unsafe attribute name or value is provided. |
| * @throws {goog.asserts.AssertionError} If content for void tag is provided. |
| * @package |
| */ |
| goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse = |
| function(tagName, opt_attributes, opt_content) { |
| var dir = null; |
| var result = '<' + tagName; |
| |
| if (opt_attributes) { |
| for (var name in opt_attributes) { |
| if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(name)) { |
| throw Error('Invalid attribute name "' + name + '".'); |
| } |
| var value = opt_attributes[name]; |
| if (!goog.isDefAndNotNull(value)) { |
| continue; |
| } |
| result += ' ' + |
| goog.html.SafeHtml.getAttrNameAndValue_(tagName, name, value); |
| } |
| } |
| |
| var content = opt_content; |
| if (!goog.isDef(content)) { |
| content = []; |
| } else if (!goog.isArray(content)) { |
| content = [content]; |
| } |
| |
| if (goog.dom.tags.isVoidTag(tagName.toLowerCase())) { |
| goog.asserts.assert(!content.length, |
| 'Void tag <' + tagName + '> does not allow content.'); |
| result += '>'; |
| } else { |
| var html = goog.html.SafeHtml.concat(content); |
| result += '>' + goog.html.SafeHtml.unwrap(html) + '</' + tagName + '>'; |
| dir = html.getDirection(); |
| } |
| |
| var dirAttribute = opt_attributes && opt_attributes['dir']; |
| if (dirAttribute) { |
| if (/^(ltr|rtl|auto)$/i.test(dirAttribute)) { |
| // If the tag has the "dir" attribute specified then its direction is |
| // neutral because it can be safely used in any context. |
| dir = goog.i18n.bidi.Dir.NEUTRAL; |
| } else { |
| dir = null; |
| } |
| } |
| |
| return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| result, dir); |
| }; |
| |
| |
| /** |
| * @param {!Object<string, string>} fixedAttributes |
| * @param {!Object<string, string>} defaultAttributes |
| * @param {!Object<string, goog.html.SafeHtml.AttributeValue_>=} |
| * opt_attributes Optional attributes passed to create*(). |
| * @return {!Object<string, goog.html.SafeHtml.AttributeValue_>} |
| * @throws {Error} If opt_attributes contains an attribute with the same name |
| * as an attribute in fixedAttributes. |
| * @package |
| */ |
| goog.html.SafeHtml.combineAttributes = function( |
| fixedAttributes, defaultAttributes, opt_attributes) { |
| var combinedAttributes = {}; |
| var name; |
| |
| for (name in fixedAttributes) { |
| goog.asserts.assert(name.toLowerCase() == name, 'Must be lower case'); |
| combinedAttributes[name] = fixedAttributes[name]; |
| } |
| for (name in defaultAttributes) { |
| goog.asserts.assert(name.toLowerCase() == name, 'Must be lower case'); |
| combinedAttributes[name] = defaultAttributes[name]; |
| } |
| |
| for (name in opt_attributes) { |
| var nameLower = name.toLowerCase(); |
| if (nameLower in fixedAttributes) { |
| throw Error('Cannot override "' + nameLower + '" attribute, got "' + |
| name + '" with value "' + opt_attributes[name] + '"'); |
| } |
| if (nameLower in defaultAttributes) { |
| delete combinedAttributes[nameLower]; |
| } |
| combinedAttributes[name] = opt_attributes[name]; |
| } |
| |
| return combinedAttributes; |
| }; |
| |
| |
| /** |
| * A SafeHtml instance corresponding to the empty string. |
| * @const {!goog.html.SafeHtml} |
| */ |
| goog.html.SafeHtml.EMPTY = |
| goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( |
| '', goog.i18n.bidi.Dir.NEUTRAL); |