Javadoc
A string-like object which represents JavaScript code and that carries the security type
contract that its value, as a string, will not cause execution of unconstrained attacker
controlled code (XSS) when evaluated as JavaScript in a browser.
A SafeScript's string representation (
#getSafeScriptString()) can safely be interpolated
as the content of a script element within HTML. The SafeScript string should not be escaped
before interpolation.
Note that the SafeScript might contain text that is attacker-controlled but that text should
have been interpolated with appropriate escaping, sanitization and/or validation into the right
location in the script, such that it is highly constrained in its effect (for example, it had to
match a set of whitelisted words).
A SafeScript can be constructed via security-reviewed unchecked conversions. In this case
producers of SafeScript must ensure themselves that the SafeScript does not contain unsafe
script. Note in particular that
< is dangerous, even when inside JavaScript strings,
and so should always be forbidden or JavaScript escaped in user controlled input. For example,
if
</script><script>evil</script>" were interpolated inside a
JavaScript string, it would break out of the context of the original script element and
evil would execute. Also note that within an HTML script (raw text) element, HTML
character references, such as
<, are not allowed. See
http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements.