html.TrustedResourceUrl Extends
A URL which is under application control and from which script, CSS, and other resources that represent executable code, can be fetched. Given that the URL can only be constructed from strings under application control and is used to load resources, bugs resulting in a malformed URL should not have a security impact and are likely to be easily detectable during testing. Given the wide number of non-RFC compliant URLs in use, stricter validation could prevent some applications from being able to use this type. Instances of this type must be created via the factory method, ( goog.html.TrustedResourceUrl.fromConstant), and not by invoking its constructor. The constructor intentionally takes no parameters and the type is immutable; hence only a default instance corresponding to the empty string can be obtained via constructor invocation.

Inheritance

Constructor

goog.html.TrustedResourceUrl()

Instance Methods

Public Protected Private
getDirection()
Returns this URLs directionality, which is always LTR.
code »
getTypedStringValue()
Returns this TrustedResourceUrl's value as a string. IMPORTANT: In code where it is security relevant that an object's type is indeed TrustedResourceUrl, use goog.html.TrustedResourceUrl.unwrap instead of this method. If in doubt, assume that it's security relevant. In particular, note that goog.html functions which return a goog.html type do not guarantee that the returned instance is of the right type. For example:
var fakeSafeHtml = new String('fake');
fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;
var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);
// newSafeHtml is just an alias for fakeSafeHtml, it's passed through by
// goog.html.SafeHtml.htmlEscape() as fakeSafeHtml instanceof
// goog.html.SafeHtml.
code »
toString()
Returns a debug string-representation of this value. To obtain the actual string value wrapped in a TrustedResourceUrl, use goog.html.TrustedResourceUrl.unwrap.
code »

Instance Properties

TRUSTED_RESOURCE_URL_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ :
A type marker used to implement additional run-time type checking.
Code »
implementsGoogI18nBidiDirectionalString :
No description.
Code »
implementsGoogStringTypedString :
No description.
Code »
privateDoNotAccessOrElseTrustedResourceUrlWrappedValue_ :
The contained value of this TrustedResourceUrl. The field has a purposely ugly name to make (non-compiled) code that attempts to directly access this field stand out.
Code »

Static Methods

goog.html.TrustedResourceUrl.createTrustedResourceUrlSecurityPrivateDoNotAccessOrElse_(url) !goog.html.TrustedResourceUrl
Utility method to create TrustedResourceUrl instances. This function is considered "package private", i.e. calls (using "suppress visibility") from other files within this package are considered acceptable. DO NOT call this function from outside the goog.html package; use appropriate wrappers instead.
Arguments:
url : string
The string to initialize the TrustedResourceUrl object with.
Returns: !goog.html.TrustedResourceUrl  The initialized TrustedResourceUrl object.
code »
goog.html.TrustedResourceUrl.fromConstant(url) !goog.html.TrustedResourceUrl
Creates a TrustedResourceUrl object from a compile-time constant string. Compile-time constant strings are inherently program-controlled and hence trusted.
Arguments:
url : !goog.string.Const
A compile-time-constant string from which to create a TrustedResourceUrl.
Returns: !goog.html.TrustedResourceUrl  A TrustedResourceUrl object initialized to url.
code »
goog.html.TrustedResourceUrl.unwrap(trustedResourceUrl) string
Performs a runtime check that the provided object is indeed a TrustedResourceUrl object, and returns its value.
Arguments:
trustedResourceUrl : !goog.html.TrustedResourceUrl
The object to extract from.
Returns: string  The trustedResourceUrl object's contained string, unless the run-time type check fails. In that case, unwrap returns an innocuous string, or, if assertions are enabled, throws goog.asserts.AssertionError.
code »

Static Properties

goog.html.TrustedResourceUrl.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ :
Type marker for the TrustedResourceUrl type, used to implement additional run-time type checking.
Code »

Package html

Package Reference