private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
/** Makes sure that the given input is a sip URI. */ public static SanitizedContent filterSipUri(String value) { if (EscapingConventions.FilterSipUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSipUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSipUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a sms URI. */ public static SanitizedContent filterSmsUri(String value) { if (EscapingConventions.FilterSmsUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSmsUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSmsUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a tel URI. */ public static SanitizedContent filterTelUri(String value) { if (EscapingConventions.FilterTelUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterTelUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterTelUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
@Override public SoyData computeForJava(List<SoyValue> args) { StringWriter writer = new StringWriter(); webResourceManager.includeResources(writer, UrlMode.AUTO); return UnsafeSanitizedContentOrdainer.ordainAsSafe(writer.toString(), SanitizedContent.ContentKind.HTML); }
/** Makes sure that the given input is a data URI corresponding to an image. */ public static SanitizedContent filterImageDataUri(String value) { if (EscapingConventions.FilterImageDataUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterImageDataUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterImageDataUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a tel URI. */ public static SanitizedContent filterTelUri(String value) { if (EscapingConventions.FilterTelUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterTelUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterTelUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a data URI corresponding to an image. */ public static SanitizedContent filterImageDataUri(String value) { if (EscapingConventions.FilterImageDataUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterImageDataUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterImageDataUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a sip URI. */ public static SanitizedContent filterSipUri(String value) { if (EscapingConventions.FilterSipUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSipUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSipUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** * Faithfully assumes the provided value is "safe" and marks it not to be re-escaped. The value's * direction is assumed to be LTR for JS, URI, ATTRIBUTES, and CSS content, and otherwise unknown. * * <p>When you "ordain" a string as safe content, it means that Soy will NOT re-escape or validate * the contents if printed in the relevant context. You can use this to insert known-safe HTML * into a template via a parameter. * * <p>This doesn't do a lot of strict checking, but makes it easier to differentiate safe * constants in your code. */ public static SanitizedContent ordainAsSafe(String value, ContentKind kind) { return ordainAsSafe(value, kind, kind.getDefaultDir()); }
/** * Validates that {@code identifier} matches a safe pattern for JS identifiers and ordains the * value as JS. * * <p>TODO: this appears to be redundant with some code in JsSrcUtils. */ public static SanitizedContent jsIdentifier(String identifier) { checkArgument( VALID_JS_IDENTIFIER_PATTERN.matcher(identifier).matches(), "JS identifier '%s' should match the pattern '%s'", identifier, VALID_JS_IDENTIFIER_PATTERN.pattern()); checkArgument( !INVALID_JS_IDENTIFIERS.contains(identifier), "JS identifier '%s' should not be a reserved word or match a literal", identifier); return UnsafeSanitizedContentOrdainer.ordainAsSafe(identifier, ContentKind.JS); } }
/** * Validates that {@code identifier} matches a safe pattern for JS identifiers and ordains the * value as JS. * * <p>TODO: this appears to be redundant with some code in JsSrcUtils. */ public static SanitizedContent jsIdentifier(String identifier) { checkArgument( VALID_JS_IDENTIFIER_PATTERN.matcher(identifier).matches(), "JS identifier '%s' should match the pattern '%s'", identifier, VALID_JS_IDENTIFIER_PATTERN.pattern()); checkArgument( !INVALID_JS_IDENTIFIERS.contains(identifier), "JS identifier '%s' should not be a reserved word or match a literal", identifier); return UnsafeSanitizedContentOrdainer.ordainAsSafe(identifier, ContentKind.JS); } }
/** * Faithfully assumes the provided value is "safe" and marks it not to be re-escaped. The value's * direction is assumed to be LTR for JS, URI, ATTRIBUTES, and CSS content, and otherwise unknown. * * <p>When you "ordain" a string as safe content, it means that Soy will NOT re-escape or validate * the contents if printed in the relevant context. You can use this to insert known-safe HTML * into a template via a parameter. * * <p>This doesn't do a lot of strict checking, but makes it easier to differentiate safe * constants in your code. */ public static SanitizedContent ordainAsSafe(String value, ContentKind kind) { return ordainAsSafe(value, kind, kind.getDefaultDir()); }
@Override public SanitizedContent renderStrict() { StringBuilder sb = new StringBuilder(); TemplateNode template = baseTofu.renderMain( sb, templateName, data, ijData, activeDelPackageNames, msgBundle, idRenamingMap, cssRenamingMap, debugSoyTemplateInfo); enforceContentKind(template); // Use the expected instead of actual content kind; that way, if an HTML template is rendered // as TEXT, we will return TEXT. return UnsafeSanitizedContentOrdainer.ordainAsSafe(sb.toString(), expectedContentKind); }
@Override public SoyValue computeForJava(List<SoyValue> args) { SoyValue value = args.get(0); return UnsafeSanitizedContentOrdainer.ordainAsSafe( BidiFunctionsRuntime.bidiDirAttr( bidiGlobalDirProvider.get(), value, (args.size() == 2 && args.get(1).booleanValue())), ContentKind.ATTRIBUTES); }
@Override public SanitizedContent renderStrict() { StringBuilder sb = new StringBuilder(); TemplateNode template = baseTofu.renderMain( sb, templateName, data, ijData, activeDelPackageNames, msgBundle, idRenamingMap, cssRenamingMap, debugSoyTemplateInfo, pluginInstances); enforceContentKind(template); // Use the expected instead of actual content kind; that way, if an HTML template is rendered // as TEXT, we will return TEXT. return UnsafeSanitizedContentOrdainer.ordainAsSafe(sb.toString(), expectedContentKind); }
/** * Resolves the value by writing it to appendable * * @param appendable An Appendable that you can call toString on to get the appended value */ void doResolveOnto(Appendable appendable) throws IOException { doRender(appendable); content = appendable.toString(); if (kind == null) { resolved = StringData.forValue(content); } else { resolved = UnsafeSanitizedContentOrdainer.ordainAsSafe(content, kind); } }