com.google.common.html.types

Class SafeStyleSheet

java.lang.Object

com.google.common.html.types.SafeStyleSheet

@Immutable
 @JsType
public final class SafeStyleSheet
extends Object

A string-like object which represents a CSS style sheet and that carries the security type contract that its value, as a string, will not cause untrusted script execution (XSS) when evaluated as CSS in a browser. A SafeStyleSheet's string representation (getSafeStyleSheetString()) can safely be interpolated as the content of a style element within HTML. The SafeStyleSheet string should not be escaped before interpolation. A SafeStyleSheet can be constructed via security-reviewed unchecked conversions. In this case producers of SafeStyleSheet must ensure themselves that the SafeStyleSheet does not contain unsafe script. Note in particular that < is dangerous, even when inside CSS strings, and so should always be forbidden or CSS-escaped in user controlled input. For example, if </style><script>evil</script>" were interpolated inside a CSS string, it would break out of the context of the original style element and evil would execute. Also note that within an HTML style (raw text) element, HTML character references, such as <, are not allowed. See http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements (similar considerations apply to the style element).

Field Summary

Fields

Modifier and Type	Field and Description
static SafeStyleSheet	EMPTY The SafeStyleSheet wrapping an empty string.

Method Summary

Modifier and Type	Method and Description
boolean	equals(Object other)
String	getSafeStyleSheetString() Returns this value's underlying string.
int	hashCode()
String	toString() Returns a debug representation of this value's underlying string, NOT the string representation of the style declaration(s).

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

EMPTY

public static final SafeStyleSheet EMPTY

The SafeStyleSheet wrapping an empty string.

Method Detail

hashCode

public int hashCode()

Overrides:

hashCode in class Object

equals

public boolean equals(Object other)

Overrides:

equals in class Object

toString

public String toString()

Returns a debug representation of this value's underlying string, NOT the string representation of the style declaration(s).

Having toString() return a debug representation is intentional. This type has a GWT-compiled JavaScript version; JavaScript has no static typing and a distinct method method name provides a modicum of type-safety.

Overrides:

toString in class Object

See Also:

getSafeStyleSheetString()

getSafeStyleSheetString

public String getSafeStyleSheetString()

Returns this value's underlying string. See class documentation for what guarantees exist on the returned string.