@Immutable @JsType public final class SafeScript extends Object
getSafeScriptString()
) can safely be interpolated
as the content of a script element within HTML. The SafeScript string should not be escaped
before interpolation.
Note that the SafeScript might contain text that is attacker-controlled but that text should
have been interpolated with appropriate escaping, sanitization and/or validation into the right
location in the script, such that it is highly constrained in its effect (for example, it had to
match a set of whitelisted words).
A SafeScript can be constructed via security-reviewed unchecked conversions. In this case
producers of SafeScript must ensure themselves that the SafeScript does not contain unsafe
script. Note in particular that <
is dangerous, even when inside JavaScript strings,
and so should always be forbidden or JavaScript escaped in user controlled input. For example,
if </script><script>evil</script>"
were interpolated inside a
JavaScript string, it would break out of the context of the original script element and
evil
would execute. Also note that within an HTML script (raw text) element, HTML
character references, such as &lt;
, are not allowed. See
http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements.Modifier and Type | Field and Description |
---|---|
static SafeScript |
EMPTY
The SafeScript wrapping an empty string.
|
Modifier and Type | Method and Description |
---|---|
boolean |
equals(Object other) |
String |
getSafeScriptString()
Returns this value's underlying string.
|
int |
hashCode() |
String |
toString()
Returns a debug representation of this value's underlying string, NOT the string representation
of the SafeScript.
|
public static final SafeScript EMPTY
public String toString()
Having toString()
return a debug representation is intentional. This type has
a GWT-compiled JavaScript version; JavaScript has no static typing and a distinct method
method name provides a modicum of type-safety.
toString
in class Object
getSafeScriptString()
public String getSafeScriptString()