goog.html.SafeHtml.create
, goog.html.SafeHtml.htmlEscape
),
etc and not by invoking its constructor. The constructor intentionally
takes no parameters and the type is immutable; hence only a default instance
corresponding to the empty string can be obtained via constructor invocation.
goog.html.SafeHtml |
![]()
No description.
|
code » | |
![]()
Returns this SafeHtml's value a string.
IMPORTANT: In code where it is security relevant that an object's type is
indeed
SafeHtml , use goog.html.SafeHtml.unwrap instead of
this method. If in doubt, assume that it's security relevant. In particular,
note that goog.html functions which return a goog.html type do not guarantee
that the returned instance is of the right type. For example:
var fakeSafeHtml = new String('fake'); fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype; var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml); // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml // instanceof goog.html.SafeHtml. |
code » | |
![]()
Returns a debug string-representation of this value.
To obtain the actual string value wrapped in a SafeHtml, use
goog.html.SafeHtml.unwrap .
|
code » |
![]()
A type marker used to implement additional run-time type checking.
|
Code » | |
![]()
This SafeHtml's directionality, or null if unknown.
|
Code » | |
![]()
No description.
|
Code » | |
![]()
No description.
|
Code » | |
![]()
The contained value of this SafeHtml. The field has a purposely ugly
name to make (non-compiled) code that attempts to directly access this
field stand out.
|
Code » |
Creates a new SafeHtml object by concatenating the values.
Arguments:
|
code » | |||||
Creates a new SafeHtml object with known directionality by concatenating the
values.
Arguments:
|
code » | |||||
Creates a SafeHtml content consisting of a tag with optional attributes and
optional content.
For convenience tag names and attribute names are accepted as regular
strings, instead of goog.string.Const. Nevertheless, you should not pass
user-controlled values to these parameters. Note that these parameters are
syntactically validated at runtime, and invalid values will result in
an exception.
Example usage:
goog.html.SafeHtml.create('br');
goog.html.SafeHtml.create('div', {'class': 'a'});
goog.html.SafeHtml.create('p', {}, 'a');
goog.html.SafeHtml.create('p', {}, goog.html.SafeHtml.create('br'));
goog.html.SafeHtml.create('span', {
'style': {'margin': '0'}
});
Arguments:
Returns: !goog.html.SafeHtml
The SafeHtml content with the tag.
|
code » | |||||
Utility method to create SafeHtml instances.
This function is considered "package private", i.e. calls (using "suppress
visibility") from other files within this package are considered acceptable.
DO NOT call this function from outside the goog.html package; use appropriate
wrappers instead.
Arguments:
Returns: !goog.html.SafeHtml
The initialized SafeHtml object.
|
code » | |||||
Creates a SafeHtml content with known directionality consisting of a tag with
optional attributes and optional content.
Arguments:
Returns: !goog.html.SafeHtml
The SafeHtml content with the tag.
|
code » | |||||
Use goog.html.SafeHtml.htmlEscape.
Coerces an arbitrary object into a SafeHtml object.
If
textOrHtml is already of type goog.html.SafeHtml , the same
object is returned. Otherwise, textOrHtml is coerced to string, and
HTML-escaped. If textOrHtml is of a type that implements
goog.i18n.bidi.DirectionalString , its directionality, if known, is
preserved.
Arguments:
Returns: !goog.html.SafeHtml
The resulting SafeHtml object.
|
code » | |||||
Gets value allowed in "style" attribute.
Arguments:
Returns: string
Unwrapped value.
|
code » | |||||
Returns HTML-escaped text as a SafeHtml object.
If text is of a type that implements
goog.i18n.bidi.DirectionalString , the directionality of the new
SafeHtml object is set to text 's directionality, if known.
Otherwise, the directionality of the resulting SafeHtml is unknown (i.e.,
null ).
Arguments:
Returns: !goog.html.SafeHtml
The escaped text, wrapped as a SafeHtml.
|
code » | |||||
Returns HTML-escaped text as a SafeHtml object, with newlines changed to
<br>.
Arguments:
Returns: !goog.html.SafeHtml
The escaped text, wrapped as a SafeHtml.
|
code » | |||||
Performs a runtime check that the provided object is indeed a SafeHtml
object, and returns its value.
Arguments:
Returns: string
The SafeHtml object's contained string, unless the run-time
type check fails. In that case,
unwrap returns an innocuous
string, or, if assertions are enabled, throws
goog.asserts.AssertionError .
|
code » |
![]()
No description.
|
Code » | |
A SafeHtml instance corresponding to the empty string.
|
Code » | |
![]()
Set of tag names that are too dangerous.
|
Code » | |
![]()
Type marker for the SafeHtml type, used to implement additional run-time
type checking.
|
Code » | |
![]()
Shorthand for union of types that can sensibly be converted to strings
or might already be SafeHtml (as SafeHtml is a goog.string.TypedString).
|
Code » | |
![]()
Set of attributes containing URL as defined at
http://www.w3.org/TR/html5/index.html#attributes-1.
|
Code » | |
![]()
No description.
|
Code » |