private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
private static SanitizedContent ordainJson(String knownSafeJson) { return UnsafeSanitizedContentOrdainer.ordainAsSafe(knownSafeJson, ContentKind.JS); } }
/** Makes sure that the given input is a sip URI. */ public static SanitizedContent filterSipUri(String value) { if (EscapingConventions.FilterSipUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSipUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSipUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a sms URI. */ public static SanitizedContent filterSmsUri(String value) { if (EscapingConventions.FilterSmsUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSmsUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSmsUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a tel URI. */ public static SanitizedContent filterTelUri(String value) { if (EscapingConventions.FilterTelUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterTelUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterTelUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
@Override public SoyData computeForJava(List<SoyValue> args) { StringWriter writer = new StringWriter(); webResourceManager.includeResources(writer, UrlMode.AUTO); return UnsafeSanitizedContentOrdainer.ordainAsSafe(writer.toString(), SanitizedContent.ContentKind.HTML); }
/** Makes sure that the given input is a data URI corresponding to an image. */ public static SanitizedContent filterImageDataUri(String value) { if (EscapingConventions.FilterImageDataUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterImageDataUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterImageDataUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a tel URI. */ public static SanitizedContent filterTelUri(String value) { if (EscapingConventions.FilterTelUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterTelUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterTelUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a data URI corresponding to an image. */ public static SanitizedContent filterImageDataUri(String value) { if (EscapingConventions.FilterImageDataUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterImageDataUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterImageDataUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** Makes sure that the given input is a sip URI. */ public static SanitizedContent filterSipUri(String value) { if (EscapingConventions.FilterSipUri.INSTANCE.getValueFilter().matcher(value).find()) { // NOTE: No need to escape. Escaping for other contexts (e.g. HTML) happen after this. return UnsafeSanitizedContentOrdainer.ordainAsSafe(value, ContentKind.URI); } logger.log(Level.WARNING, "|filterSipUri received bad value ''{0}''", value); return UnsafeSanitizedContentOrdainer.ordainAsSafe( EscapingConventions.FilterSipUri.INSTANCE.getInnocuousOutput(), SanitizedContent.ContentKind.URI); }
/** * Faithfully assumes the provided value is "safe" and marks it not to be re-escaped. The value's * direction is assumed to be LTR for JS, URI, ATTRIBUTES, and CSS content, and otherwise unknown. * * <p>When you "ordain" a string as safe content, it means that Soy will NOT re-escape or validate * the contents if printed in the relevant context. You can use this to insert known-safe HTML * into a template via a parameter. * * <p>This doesn't do a lot of strict checking, but makes it easier to differentiate safe * constants in your code. */ public static SanitizedContent ordainAsSafe(String value, ContentKind kind) { return ordainAsSafe(value, kind, kind.getDefaultDir()); }
@Override public SoyValue computeForJava(List<SoyValue> args) { SoyValue value = args.get(0); return UnsafeSanitizedContentOrdainer.ordainAsSafe( BidiFunctionsRuntime.bidiDirAttr( bidiGlobalDirProvider.get(), value, (args.size() == 2 && args.get(1).booleanValue())), ContentKind.ATTRIBUTES); }
/** * Resolves the value by writing it to appendable * * @param appendable An Appendable that you can call toString on to get the appended value */ void doResolveOnto(Appendable appendable) throws IOException { doRender(appendable); content = appendable.toString(); if (kind == null) { resolved = StringData.forValue(content); } else { resolved = UnsafeSanitizedContentOrdainer.ordainAsSafe(content, kind); } }
/** * Normalizes the input HTML of a given directionality while preserving "safe" tags. * * @param optionalSafeTags to add to the basic whitelist of formatting safe tags * @return the normalized input, in the form of {@link SanitizedContent} of {@link * ContentKind#HTML} */ public static SanitizedContent cleanHtml( String value, Dir contentDir, Collection<? extends OptionalSafeTag> optionalSafeTags) { return UnsafeSanitizedContentOrdainer.ordainAsSafe( stripHtmlTags(value, TagWhitelist.FORMATTING.withOptionalSafeTags(optionalSafeTags), true), ContentKind.HTML, contentDir); }
@Override public SanitizedContent renderAsSanitizedContent() { String resultString = render(); // The no-caching registry is good enough to get content kind. SanitizedContent.ContentKind contentKind = baseTofu.templateRegistryForNoCaching.getBasicTemplate(templateName).getContentKind(); Preconditions.checkArgument(contentKind != null, "renderAsSanitizedContent is only valid for templates with autoescape=\"strict\"."); return UnsafeSanitizedContentOrdainer.ordainAsSafe(resultString, contentKind); }
/** * Normalizes the input HTML of a given directionality while preserving "safe" tags. * * @param optionalSafeTags to add to the basic whitelist of formatting safe tags * @return the normalized input, in the form of {@link SanitizedContent} of {@link * ContentKind#HTML} */ public static SanitizedContent cleanHtml( String value, Dir contentDir, Collection<? extends OptionalSafeTag> optionalSafeTags) { return UnsafeSanitizedContentOrdainer.ordainAsSafe( stripHtmlTags(value, TagWhitelist.FORMATTING.withOptionalSafeTags(optionalSafeTags), true), ContentKind.HTML, contentDir); }
@Override public SoyData compute(List<SoyData> args) { String text = args.get(0).stringValue(); @SuppressWarnings("SimplifiableConditionalExpression") // make IntelliJ happy boolean isHtml = (args.size() == 2) ? args.get(1).booleanValue() : false /* default */; int bidiGlobalDir = bidiGlobalDirProvider.get().getStaticValue(); return UnsafeSanitizedContentOrdainer.ordainAsSafe( SoyBidiUtils.getBidiFormatter(bidiGlobalDir).dirAttr(text, isHtml), SanitizedContent.ContentKind.ATTRIBUTES); }
@Override protected void visitLetContentNode(LetContentNode node) { SoyData renderedBlock = renderBlock(node); // If the let node has a content kind attribute, it will have been autoescaped in the // corresponding context by the strict contextual autoescaper. Hence, the result of evaluating // the let block is wrapped in SanitizedContent of the specified kind. // TODO: Consider adding mutable state to nodes that allows the contextual escaper to tag // nodes it has processed, and assert presence of this tag here. if (node.getContentKind() != null) { renderedBlock = UnsafeSanitizedContentOrdainer.ordainAsSafe( renderedBlock.stringValue(), node.getContentKind()); } env.peek().put(node.getVarName(), renderedBlock); }