@Immutable @JsType public final class SafeStyleSheet extends Object
getSafeStyleSheetString()
) can safely be
interpolated as the content of a style element within HTML. The SafeStyleSheet string should
not be escaped before interpolation.
A SafeStyleSheet can be constructed via security-reviewed unchecked conversions. In this case
producers of SafeStyleSheet must ensure themselves that the SafeStyleSheet does not contain
unsafe script. Note in particular that <
is dangerous, even when inside CSS strings,
and so should always be forbidden or CSS-escaped in user controlled input. For example,
if </style><script>evil</script>"
were interpolated
inside a CSS string, it would break out of the context of the original style element and
evil
would execute. Also note that within an HTML style (raw text) element, HTML
character references, such as &lt;
, are not allowed. See
http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements
(similar considerations apply to the style element).Modifier and Type | Field and Description |
---|---|
static SafeStyleSheet |
EMPTY
The SafeStyleSheet wrapping an empty string.
|
Modifier and Type | Method and Description |
---|---|
boolean |
equals(Object other) |
String |
getSafeStyleSheetString()
Returns this value's underlying string.
|
int |
hashCode() |
String |
toString()
Returns a debug representation of this value's underlying string, NOT the string representation
of the style declaration(s).
|
public static final SafeStyleSheet EMPTY
public String toString()
Having toString()
return a debug representation is intentional. This type has
a GWT-compiled JavaScript version; JavaScript has no static typing and a distinct method
method name provides a modicum of type-safety.
toString
in class Object
getSafeStyleSheetString()
public String getSafeStyleSheetString()