74 lines
2.8 KiB
Java
74 lines
2.8 KiB
Java
/*
|
|
* Copyright (C) 2009 The Guava Authors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package com.google.common.html;
|
|
|
|
import com.google.common.annotations.Beta;
|
|
import com.google.common.annotations.GwtCompatible;
|
|
import com.google.common.escape.Escaper;
|
|
import com.google.common.escape.Escapers;
|
|
|
|
/**
|
|
* {@code Escaper} instances suitable for strings to be included in HTML
|
|
* attribute values and <em>most</em> elements' text contents. When possible,
|
|
* avoid manual escaping by using templating systems and high-level APIs that
|
|
* provide autoescaping.
|
|
*
|
|
* <p>
|
|
* HTML escaping is particularly tricky: For example,
|
|
* <a href="http://goo.gl/5TgZb">some elements' text contents must not be HTML
|
|
* escaped</a>. As a result, it is impossible to escape an HTML document
|
|
* correctly without domain-specific knowledge beyond what {@code HtmlEscapers}
|
|
* provides. We strongly encourage the use of HTML templating systems.
|
|
*
|
|
* @author Sven Mawson
|
|
* @author David Beaumont
|
|
* @since 15.0
|
|
*/
|
|
@Beta
|
|
@GwtCompatible
|
|
public final class HtmlEscapers {
|
|
/**
|
|
* Returns an {@link Escaper} instance that escapes HTML metacharacters as
|
|
* specified by <a href="http://www.w3.org/TR/html4/">HTML 4.01</a>. The
|
|
* resulting strings can be used both in attribute values and in <em>most</em>
|
|
* elements' text contents, provided that the HTML document's character encoding
|
|
* can encode any non-ASCII code points in the input (as UTF-8 and other Unicode
|
|
* encodings can).
|
|
*
|
|
*
|
|
* <p>
|
|
* <b>Note</b>: This escaper only performs minimal escaping to make content
|
|
* structurally compatible with HTML. Specifically, it does not perform entity
|
|
* replacement (symbolic or numeric), so it does not replace non-ASCII code
|
|
* points with character references. This escaper escapes only the following
|
|
* five ASCII characters: {@code '"&<>}.
|
|
*/
|
|
public static Escaper htmlEscaper() {
|
|
return HTML_ESCAPER;
|
|
}
|
|
|
|
// For each xxxEscaper() method, please add links to external reference pages
|
|
// that are considered authoritative for the behavior of that escaper.
|
|
|
|
private static final Escaper HTML_ESCAPER = Escapers.builder().addEscape('"', """)
|
|
// Note: "'" is not defined in HTML 4.01.
|
|
.addEscape('\'', "'").addEscape('&', "&").addEscape('<', "<").addEscape('>', ">").build();
|
|
|
|
private HtmlEscapers() {
|
|
}
|
|
}
|