/
HtmlEscapers.java
executable file
·69 lines (63 loc) · 2.95 KB
/
HtmlEscapers.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/*
* Copyright (C) 2009 The Guava Authors
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
* or implied. See the License for the specific language governing permissions and limitations under
* the License.
*/
package com.google.common.html;
import com.google.common.annotations.GwtCompatible;
import com.google.common.escape.Escaper;
import com.google.common.escape.Escapers;
/**
* {@code Escaper} instances suitable for strings to be included in HTML attribute values and
* <em>most</em> elements' text contents. When possible, avoid manual escaping by using templating
* systems and high-level APIs that provide autoescaping.
* One Google-authored templating system available for external use is <a
* href="https://developers.google.com/closure/templates/">Closure Templates</a>.
*
* <p>HTML escaping is particularly tricky: For example, <a href="http://goo.gl/5TgZb">some
* elements' text contents must not be HTML escaped</a>. As a result, it is impossible to escape an
* HTML document correctly without domain-specific knowledge beyond what {@code HtmlEscapers}
* provides. We strongly encourage the use of HTML templating systems.
*
* @author Sven Mawson
* @author David Beaumont
* @since 15.0
*/
@GwtCompatible
public final class HtmlEscapers {
/**
* Returns an {@link Escaper} instance that escapes HTML metacharacters as specified by <a
* href="http://www.w3.org/TR/html4/">HTML 4.01</a>. The resulting strings can be used both in
* attribute values and in <em>most</em> elements' text contents, provided that the HTML
* document's character encoding can encode any non-ASCII code points in the input (as UTF-8 and
* other Unicode encodings can).
*
* <p><b>Note:</b> This escaper only performs minimal escaping to make content structurally
* compatible with HTML. Specifically, it does not perform entity replacement (symbolic or
* numeric), so it does not replace non-ASCII code points with character references. This escaper
* escapes only the following five ASCII characters: {@code '"&<>}.
*/
public static Escaper htmlEscaper() {
return HTML_ESCAPER;
}
// For each xxxEscaper() method, please add links to external reference pages
// that are considered authoritative for the behavior of that escaper.
private static final Escaper HTML_ESCAPER =
Escapers.builder()
.addEscape('"', """)
// Note: "'" is not defined in HTML 4.01.
.addEscape('\'', "'")
.addEscape('&', "&")
.addEscape('<', "<")
.addEscape('>', ">")
.build();
private HtmlEscapers() {}
}