@Override public SoyValue apply(SafeHtml obj) { return SanitizedContents.fromSafeHtml(obj); } });
@Override public SoyValue apply(SafeHtmlProto obj) { return SanitizedContents.fromSafeHtmlProto(obj); } });
@Override public SoyValue apply(SafeScript obj) { return SanitizedContents.fromSafeScript(obj); } });
/** * Loads assumed-safe content from a Java resource. * * This performs ZERO VALIDATION of the data, and takes you on your word that the input is valid. * We assume that resources should be safe because they are part of the binary, and therefore not * attacker controlled, unless the source code is compromised (in which there's nothing we can * do). * * @param contextClass Class relative to which to load the resource. * @param resourceName The name of the resource, relative to the context class. * @param charset The character set to use, usually Charsets.UTF_8. * @param kind The content kind of the resource. */ public static SanitizedContent fromResource( Class<?> contextClass, String resourceName, Charset charset, ContentKind kind) throws IOException { pretendValidateResource(resourceName, kind); return new SanitizedContent( Resources.toString(Resources.getResource(contextClass, resourceName), charset), kind); }
/** * Wraps an assumed-safe CSS constant. * * <p>This only accepts compile-time constants, based on the assumption that URLs that are * controlled by the application (and not user input) are considered safe. */ public static SanitizedContent constantCss(@CompileTimeConstant final String constant) { return fromConstant(constant, ContentKind.CSS, Dir.LTR); }
@Override public SoyValue apply(SafeStyleProto obj) { return SanitizedContents.fromSafeStyleProto(obj); } });
@Override public SoyValue apply(SafeScriptProto obj) { return SanitizedContents.fromSafeScriptProto(obj); } });
@Override public SoyValue apply(SafeStyleSheetProto obj) { return SanitizedContents.fromSafeStyleSheetProto(obj); } });
@Override public SoyValue apply(SafeStyleSheet obj) { return SanitizedContents.fromSafeStyleSheet(obj); } });
@Override public SoyValue apply(SafeStyle obj) { return SanitizedContents.fromSafeStyle(obj); } });
/** * Loads assumed-safe content from a Java resource. * * <p>This performs ZERO VALIDATION of the data, and takes you on your word that the input is * valid. We assume that resources should be safe because they are part of the binary, and * therefore not attacker controlled, unless the source code is compromised (in which there's * nothing we can do). * * @param resourceName The name of the resource to be found using {@linkplain * Thread#getContextClassLoader() context class loader}. * @param charset The character set to use, usually Charsets.UTF_8. * @param kind The content kind of the resource. */ public static SanitizedContent fromResource( String resourceName, Charset charset, ContentKind kind) throws IOException { pretendValidateResource(resourceName, kind); return SanitizedContent.create( Resources.toString(Resources.getResource(resourceName), charset), kind, // Text resources are usually localized, so one might think that the locale direction should // be assumed for them. We do not do that because: // - We do not know the locale direction here. // - Some messages do not get translated. // - This method currently can't be used for text resources (see pretendValidateResource()). kind.getDefaultDir()); }
/** * Wraps an assumed-safe constant string that specifies a safe, balanced, document fragment. * * <p>This only accepts compile-time constants, based on the assumption that HTML snippets that * are controlled by the application (and not user input) are considered safe. */ public static SanitizedContent constantHtml(@CompileTimeConstant final String constant) { return fromConstant(constant, ContentKind.HTML, null); }
@Override public SoyValue apply(SafeStyleProto obj) { return SanitizedContents.fromSafeStyleProto(obj); } });
@Override public SoyValue apply(SafeScriptProto obj) { return SanitizedContents.fromSafeScriptProto(obj); } });
@Override public SoyValue apply(SafeStyleSheetProto obj) { return SanitizedContents.fromSafeStyleSheetProto(obj); } });
@Override public SoyValue apply(SafeStyleSheet obj) { return SanitizedContents.fromSafeStyleSheet(obj); } });
@Override public SoyValue apply(SafeStyle obj) { return SanitizedContents.fromSafeStyle(obj); } });
/** * Loads assumed-safe content from a Java resource. * * <p>This performs ZERO VALIDATION of the data, and takes you on your word that the input is * valid. We assume that resources should be safe because they are part of the binary, and * therefore not attacker controlled, unless the source code is compromised (in which there's * nothing we can do). * * @param contextClass Class relative to which to load the resource. * @param resourceName The name of the resource, relative to the context class. * @param charset The character set to use, usually Charsets.UTF_8. * @param kind The content kind of the resource. */ public static SanitizedContent fromResource( Class<?> contextClass, String resourceName, Charset charset, ContentKind kind) throws IOException { pretendValidateResource(resourceName, kind); return SanitizedContent.create( Resources.toString(Resources.getResource(contextClass, resourceName), charset), kind, // Text resources are usually localized, so one might think that the locale direction should // be assumed for them. We do not do that because: // - We do not know the locale direction here. // - Some messages do not get translated. // - This method currently can't be used for text resources (see pretendValidateResource()). kind.getDefaultDir()); }
/** * Wraps an assumed-safe URI constant. * * <p>This only accepts compile-time constants, based on the assumption that URLs that are * controlled by the application (and not user input) are considered safe. */ public static SanitizedContent constantUri(@CompileTimeConstant final String constant) { return fromConstant(constant, ContentKind.URI, Dir.LTR); }
@Override public SoyValue soyFromProto(Object field) { return SanitizedContents.fromSafeHtmlProto((SafeHtmlProto) field); }