com.google.template.soy.data

Class SanitizedContents

java.lang.Object

com.google.template.soy.data.SanitizedContents

@ParametersAreNonnullByDefault
public final class SanitizedContents
extends Object

Creation utilities for SanitizedContent objects for common use cases.

This should contain utilities that have extremely broad application. More specific utilities should reside with the specific project.

All utilities here should be extremely difficult to abuse in a way that could create attacker-controlled SanitizedContent objects. Java's type system is a great tool to achieve this.

Method Summary

Modifier and Type	Method and Description
static SanitizedContent	concatHtml(SanitizedContent... contents) Concatenate the contents of multiple SanitizedContent objects of kind HTML.
static SanitizedContent	constantHtml(String constant) Wraps an assumed-safe constant string that specifies a safe, balanced, document fragment.
static SanitizedContent	constantUri(String constant) Wraps an assumed-safe URI constant.
static SanitizedContent	emptyString(SanitizedContent.ContentKind kind) Creates an empty string constant.
static SanitizedContent	fromResource(Class<?> contextClass, String resourceName, Charset charset, SanitizedContent.ContentKind kind) Loads assumed-safe content from a Java resource.
static SanitizedContent	fromResource(String resourceName, Charset charset, SanitizedContent.ContentKind kind) Loads assumed-safe content from a Java resource.
static SanitizedContent	fromSafeHtml(com.google.common.html.types.SafeHtml html) Converts a SafeHtml into a Soy SanitizedContent of kind HTML.
static SanitizedContent	fromSafeHtmlProto(com.google.common.html.types.SafeHtmlProto html) Converts a SafeHtmlProto into a Soy SanitizedContent of kind HTML.
static SanitizedContent	fromSafeScript(com.google.common.html.types.SafeScript script) Converts a SafeScript into a Soy SanitizedContent of kind JS.
static SanitizedContent	fromSafeScriptProto(com.google.common.html.types.SafeScriptProto script) Converts a SafeScriptProto into a Soy SanitizedContent of kind JS.
static SanitizedContent	fromSafeStyle(com.google.common.html.types.SafeStyle style) Converts a SafeStyle into a Soy SanitizedContent of kind CSS.
static SanitizedContent	fromSafeStyleProto(com.google.common.html.types.SafeStyleProto style) Converts a SafeStyleProto into a Soy SanitizedContent of kind CSS.
static SanitizedContent	fromSafeStyleSheet(com.google.common.html.types.SafeStyleSheet styleSheet) Converts a SafeStyleSheet into a Soy SanitizedContent of kind CSS.
static SanitizedContent	fromSafeStyleSheetProto(com.google.common.html.types.SafeStyleSheetProto styleSheet) Converts a SafeStyleSheetProto into a Soy SanitizedContent of kind CSS.
static SanitizedContent	fromSafeUrl(com.google.common.html.types.SafeUrl url) Converts a SafeUrl into a Soy SanitizedContent of kind URI.
static SanitizedContent	fromSafeUrlProto(com.google.common.html.types.SafeUrlProto url) Converts a SafeUrlProto into a Soy SanitizedContent of kind URI.
static SanitizedContent	fromTrustedResourceUrl(com.google.common.html.types.TrustedResourceUrl url) Converts a TrustedResourceUrl into a Soy SanitizedContent of kind TRUSTED_RESOURCE_URI.
static SanitizedContent	fromTrustedResourceUrlProto(com.google.common.html.types.TrustedResourceUrlProto url) Converts a TrustedResourceUrlProto into a Soy SanitizedContent of kind TRUSTED_RESOURCE_URI.
static SanitizedContent	unsanitizedText(String text) Creates a SanitizedContent object of kind TEXT and unknown direction.
static SanitizedContent	unsanitizedText(String text, Dir dir) Creates a SanitizedContent object of kind TEXT of a given direction (null if unknown).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

emptyString

public static SanitizedContent emptyString(SanitizedContent.ContentKind kind)

Creates an empty string constant.

unsanitizedText

public static SanitizedContent unsanitizedText(String text,
                                               @Nullable
                                               Dir dir)

Creates a SanitizedContent object of kind TEXT of a given direction (null if unknown).

This is useful when stubbing out a function that needs to create a SanitizedContent object.

unsanitizedText

public static SanitizedContent unsanitizedText(String text)

Creates a SanitizedContent object of kind TEXT and unknown direction.

This is useful when stubbing out a function that needs to create a SanitizedContent object.

concatHtml

public static SanitizedContent concatHtml(SanitizedContent... contents)

Concatenate the contents of multiple SanitizedContent objects of kind HTML.

Parameters:

contents - The HTML content to combine.

fromResource

public static SanitizedContent fromResource(Class<?> contextClass,
                                            String resourceName,
                                            Charset charset,
                                            SanitizedContent.ContentKind kind)
                                     throws IOException

Loads assumed-safe content from a Java resource.

This performs ZERO VALIDATION of the data, and takes you on your word that the input is valid. We assume that resources should be safe because they are part of the binary, and therefore not attacker controlled, unless the source code is compromised (in which there's nothing we can do).

Parameters:

contextClass - Class relative to which to load the resource.

resourceName - The name of the resource, relative to the context class.

charset - The character set to use, usually Charsets.UTF_8.

kind - The content kind of the resource.

Throws:

IOException

fromResource

public static SanitizedContent fromResource(String resourceName,
                                            Charset charset,
                                            SanitizedContent.ContentKind kind)
                                     throws IOException

Loads assumed-safe content from a Java resource.

This performs ZERO VALIDATION of the data, and takes you on your word that the input is valid. We assume that resources should be safe because they are part of the binary, and therefore not attacker controlled, unless the source code is compromised (in which there's nothing we can do).

Parameters:

resourceName - The name of the resource to be found using context class loader.

charset - The character set to use, usually Charsets.UTF_8.

kind - The content kind of the resource.

Throws:

IOException

constantUri

public static SanitizedContent constantUri(@CompileTimeConstant
                                           String constant)

Wraps an assumed-safe URI constant.

This only accepts compile-time constants, based on the assumption that URLs that are controlled by the application (and not user input) are considered safe.

constantHtml

public static SanitizedContent constantHtml(@CompileTimeConstant
                                            String constant)

Wraps an assumed-safe constant string that specifies a safe, balanced, document fragment.

This only accepts compile-time constants, based on the assumption that HTML snippets that are controlled by the application (and not user input) are considered safe.

fromSafeHtml

public static SanitizedContent fromSafeHtml(com.google.common.html.types.SafeHtml html)

Converts a SafeHtml into a Soy SanitizedContent of kind HTML.

fromSafeHtmlProto

public static SanitizedContent fromSafeHtmlProto(com.google.common.html.types.SafeHtmlProto html)

Converts a SafeHtmlProto into a Soy SanitizedContent of kind HTML.

fromSafeScript

public static SanitizedContent fromSafeScript(com.google.common.html.types.SafeScript script)

Converts a SafeScript into a Soy SanitizedContent of kind JS.

fromSafeScriptProto

public static SanitizedContent fromSafeScriptProto(com.google.common.html.types.SafeScriptProto script)

Converts a SafeScriptProto into a Soy SanitizedContent of kind JS.

fromSafeStyle

public static SanitizedContent fromSafeStyle(com.google.common.html.types.SafeStyle style)

Converts a SafeStyle into a Soy SanitizedContent of kind CSS.

fromSafeStyleProto

public static SanitizedContent fromSafeStyleProto(com.google.common.html.types.SafeStyleProto style)

Converts a SafeStyleProto into a Soy SanitizedContent of kind CSS.

fromSafeStyleSheet

public static SanitizedContent fromSafeStyleSheet(com.google.common.html.types.SafeStyleSheet styleSheet)

Converts a SafeStyleSheet into a Soy SanitizedContent of kind CSS.

fromSafeStyleSheetProto

public static SanitizedContent fromSafeStyleSheetProto(com.google.common.html.types.SafeStyleSheetProto styleSheet)

Converts a SafeStyleSheetProto into a Soy SanitizedContent of kind CSS.

fromSafeUrl

public static SanitizedContent fromSafeUrl(com.google.common.html.types.SafeUrl url)

Converts a SafeUrl into a Soy SanitizedContent of kind URI.

fromSafeUrlProto

public static SanitizedContent fromSafeUrlProto(com.google.common.html.types.SafeUrlProto url)

Converts a SafeUrlProto into a Soy SanitizedContent of kind URI.

fromTrustedResourceUrl

public static SanitizedContent fromTrustedResourceUrl(com.google.common.html.types.TrustedResourceUrl url)

Converts a TrustedResourceUrl into a Soy SanitizedContent of kind TRUSTED_RESOURCE_URI.

fromTrustedResourceUrlProto

public static SanitizedContent fromTrustedResourceUrlProto(com.google.common.html.types.TrustedResourceUrlProto url)

Converts a TrustedResourceUrlProto into a Soy SanitizedContent of kind TRUSTED_RESOURCE_URI.