/** * Creates a SafeUrl from the given compile-time constant string {@code url}. * * <p>No runtime validation or sanitization is performed on {@code url}; being under application * control, it is simply assumed to comply with the SafeUrl contract. */ public static SafeUrl fromConstant(@CompileTimeConstant final String url) { return create(url); }
/** * Deserializes a SafeUrlProto into a SafeUrl instance. * * <p>Protocol-message forms are intended to be opaque. The fields of the protocol message should * be considered encapsulated and are not intended for direct inspection or manipulation. Protocol * message forms of this type should be produced by {@link #toProto(SafeUrl)} or its * equivalent in other implementation languages. * * <p><b>Important:</b> It is unsafe to invoke this method on a protocol message that has been * received from an entity outside the application's trust domain. Data coming from the browser * is outside the application's trust domain. */ public static SafeUrl fromProto(SafeUrlProto proto) { return create(proto.getPrivateDoNotAccessOrElseSafeUrlWrappedValue()); }
/** * Creates a SafeUrl object from the given {@code url}, validating that the input string matches * a pattern of commonly used safe URLs. If {@code url} fails validation, this method returns a * SafeUrl, {@link SafeUrl#INNOCUOUS}, which contains an innocuous string, * {@link SafeUrl#INNOCUOUS_STRING}. * * <p>{@code url} is sanitized as in {@link #sanitize(String)}, additionally permitting the * custom schemes listed in {@code extraAllowedSchemes}. */ public static SafeUrl sanitize(String url, Set<CustomSafeUrlScheme> extraAllowedSchemes) { if (!isSafeUrl(url, extraAllowedSchemes)) { return SafeUrl.INNOCUOUS; } return create(url); }
/** * Creates a {@code data:text/html} URL whose content is populated from the given * {@code SafeHtml} object. * * <p>The resulting {@code data}-scheme URL's content is UTF-8-encoded, and further encoded using * base-64 transfer encoding. * * @see http://tools.ietf.org/html/rfc2397 * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs */ public static SafeUrl createHtmlDataUrlBase64(SafeHtml html) { try { String dataUrl = "data:text/html;charset=UTF-8;base64," + BaseEncoding.base64().encode(html.getSafeHtmlString().getBytes("UTF-8")); return create(dataUrl); } catch (UnsupportedEncodingException e) { // Should never happen. We use getBytes(String) instead of getBytes(CharSet) because // there's no java.nio.charset.StandardCharsets in older Android SDKs. throw new RuntimeException(e); } }
/** * Creates a {@code data:text/html} URL whose content is populated from the given * {@code SafeHtml} object. * * <p>The resulting {@code data}-scheme URL's content is UTF-8-encoded, but the * encoding of non-ASCII characters is done using the standard %xx hex encoding. * * @see http://tools.ietf.org/html/rfc2397 * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs */ public static SafeUrl createHtmlDataUrl(SafeHtml html) { // Use urlPathSegmentEscaper because all other Escapers convert spaces to "+" instead of "%20", // which are rendered as normal "+"s in the browser instead of being rendered as spaces. String dataUrl = "data:text/html;charset=UTF-8," + UrlEscapers.urlPathSegmentEscaper().escape(html.getSafeHtmlString()); return create(dataUrl); }