© 2009 Google - Privacy Policy - Terms and Conditions - About Google
public static final class EscapingConventions.FilterNormalizeMediaUri extends EscapingConventions.CrossLanguageStringXform
EscapingConventions.FilterNormalizeUri, but also accepts data: and blob: URIs, since
image sources don't execute script in the same origin as the page (although image handling
0-days are available from time to time, but a templating language can't realistically try to
protect against such a thing).
Only intended to be used with images; for videos and audio we expect some sort of further review since they can more easily be used for social engineering. Video and audio still accept http/https because remote video and audio can still be protected against via CSP, but data URIs don't have self-evident provenance.
| Modifier and Type | Field and Description |
|---|---|
static EscapingConventions.FilterNormalizeMediaUri |
INSTANCE
Implements the
|filterNormalizeMediaUri directive. |
| Modifier and Type | Method and Description |
|---|---|
protected com.google.common.collect.ImmutableList<EscapingConventions.Escape> |
defineEscapes()
Returns the escapes used for this escaper.
|
String |
getInnocuousOutput()
Returns an innocuous string in this context that can be used when filtering.
|
escape, escape, getDirectiveName, getEscapes, getLangFunctionNames, getNonAsciiPrefix, getValueFilterpublic static final EscapingConventions.FilterNormalizeMediaUri INSTANCE
|filterNormalizeMediaUri directive.protected com.google.common.collect.ImmutableList<EscapingConventions.Escape> defineEscapes()
EscapingConventions.CrossLanguageStringXformdefineEscapes in class EscapingConventions.CrossLanguageStringXformpublic String getInnocuousOutput()
EscapingConventions.CrossLanguageStringXformgetInnocuousOutput in class EscapingConventions.CrossLanguageStringXform© 2009 Google - Privacy Policy - Terms and Conditions - About Google