lib/goog/html/uncheckedconversions.js

1// Copyright 2013 The Closure Library Authors. All Rights Reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS-IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15/**
16 * @fileoverview Unchecked conversions to create values of goog.html types from
17 * plain strings. Use of these functions could potentially result in instances
18 * of goog.html types that violate their type contracts, and hence result in
19 * security vulnerabilties.
20 *
21 * Therefore, all uses of the methods herein must be carefully security
22 * reviewed. Avoid use of the methods in this file whenever possible; instead
23 * prefer to create instances of goog.html types using inherently safe builders
24 * or template systems.
25 *
26 *
27 * @visibility {//closure/goog/html:approved_for_unchecked_conversion}
28 * @visibility {//closure/goog/bin/sizetests:__pkg__}
29 */
30
31
32goog.provide('goog.html.uncheckedconversions');
33
34goog.require('goog.asserts');
35goog.require('goog.html.SafeHtml');
36goog.require('goog.html.SafeScript');
37goog.require('goog.html.SafeStyle');
38goog.require('goog.html.SafeStyleSheet');
39goog.require('goog.html.SafeUrl');
40goog.require('goog.html.TrustedResourceUrl');
41goog.require('goog.string');
42goog.require('goog.string.Const');
43
44
45/**
46 * Performs an "unchecked conversion" to SafeHtml from a plain string that is
47 * known to satisfy the SafeHtml type contract.
48 *
49 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
50 * that the value of {@code html} satisfies the SafeHtml type contract in all
51 * possible program states.
52 *
53 *
54 * @param {!goog.string.Const} justification A constant string explaining why
55 * this use of this method is safe. May include a security review ticket
56 * number.
57 * @param {string} html A string that is claimed to adhere to the SafeHtml
58 * contract.
59 * @param {?goog.i18n.bidi.Dir=} opt_dir The optional directionality of the
60 * SafeHtml to be constructed. A null or undefined value signifies an
61 * unknown directionality.
62 * @return {!goog.html.SafeHtml} The value of html, wrapped in a SafeHtml
63 * object.
64 * @suppress {visibility} For access to SafeHtml.create... Note that this
65 * use is appropriate since this method is intended to be "package private"
66 * withing goog.html. DO NOT call SafeHtml.create... from outside this
67 * package; use appropriate wrappers instead.
68 */
69goog.html.uncheckedconversions.safeHtmlFromStringKnownToSatisfyTypeContract =
70 function(justification, html, opt_dir) {
71 // unwrap() called inside an assert so that justification can be optimized
72 // away in production code.
73 goog.asserts.assertString(goog.string.Const.unwrap(justification),
74 'must provide justification');
75 goog.asserts.assert(
76 !goog.string.isEmptyOrWhitespace(goog.string.Const.unwrap(justification)),
77 'must provide non-empty justification');
78 return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
79 html, opt_dir || null);
80};
81
82
83/**
84 * Performs an "unchecked conversion" to SafeScript from a plain string that is
85 * known to satisfy the SafeScript type contract.
86 *
87 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
88 * that the value of {@code script} satisfies the SafeScript type contract in
89 * all possible program states.
90 *
91 *
92 * @param {!goog.string.Const} justification A constant string explaining why
93 * this use of this method is safe. May include a security review ticket
94 * number.
95 * @param {string} script The string to wrap as a SafeScript.
96 * @return {!goog.html.SafeScript} The value of {@code script}, wrapped in a
97 * SafeScript object.
98 */
99goog.html.uncheckedconversions.safeScriptFromStringKnownToSatisfyTypeContract =
100 function(justification, script) {
101 // unwrap() called inside an assert so that justification can be optimized
102 // away in production code.
103 goog.asserts.assertString(goog.string.Const.unwrap(justification),
104 'must provide justification');
105 goog.asserts.assert(
106 !goog.string.isEmpty(goog.string.Const.unwrap(justification)),
107 'must provide non-empty justification');
108 return goog.html.SafeScript.createSafeScriptSecurityPrivateDoNotAccessOrElse(
109 script);
110};
111
112
113/**
114 * Performs an "unchecked conversion" to SafeStyle from a plain string that is
115 * known to satisfy the SafeStyle type contract.
116 *
117 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
118 * that the value of {@code style} satisfies the SafeUrl type contract in all
119 * possible program states.
120 *
121 *
122 * @param {!goog.string.Const} justification A constant string explaining why
123 * this use of this method is safe. May include a security review ticket
124 * number.
125 * @param {string} style The string to wrap as a SafeStyle.
126 * @return {!goog.html.SafeStyle} The value of {@code style}, wrapped in a
127 * SafeStyle object.
128 */
129goog.html.uncheckedconversions.safeStyleFromStringKnownToSatisfyTypeContract =
130 function(justification, style) {
131 // unwrap() called inside an assert so that justification can be optimized
132 // away in production code.
133 goog.asserts.assertString(goog.string.Const.unwrap(justification),
134 'must provide justification');
135 goog.asserts.assert(
136 !goog.string.isEmptyOrWhitespace(goog.string.Const.unwrap(justification)),
137 'must provide non-empty justification');
138 return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(
139 style);
140};
141
142
143/**
144 * Performs an "unchecked conversion" to SafeStyleSheet from a plain string
145 * that is known to satisfy the SafeStyleSheet type contract.
146 *
147 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
148 * that the value of {@code styleSheet} satisfies the SafeUrl type contract in
149 * all possible program states.
150 *
151 *
152 * @param {!goog.string.Const} justification A constant string explaining why
153 * this use of this method is safe. May include a security review ticket
154 * number.
155 * @param {string} styleSheet The string to wrap as a SafeStyleSheet.
156 * @return {!goog.html.SafeStyleSheet} The value of {@code styleSheet}, wrapped
157 * in a SafeStyleSheet object.
158 */
159goog.html.uncheckedconversions.
160 safeStyleSheetFromStringKnownToSatisfyTypeContract =
161 function(justification, styleSheet) {
162 // unwrap() called inside an assert so that justification can be optimized
163 // away in production code.
164 goog.asserts.assertString(goog.string.Const.unwrap(justification),
165 'must provide justification');
166 goog.asserts.assert(
167 !goog.string.isEmptyOrWhitespace(goog.string.Const.unwrap(justification)),
168 'must provide non-empty justification');
169 return goog.html.SafeStyleSheet.
170 createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(styleSheet);
171};
172
173
174/**
175 * Performs an "unchecked conversion" to SafeUrl from a plain string that is
176 * known to satisfy the SafeUrl type contract.
177 *
178 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
179 * that the value of {@code url} satisfies the SafeUrl type contract in all
180 * possible program states.
181 *
182 *
183 * @param {!goog.string.Const} justification A constant string explaining why
184 * this use of this method is safe. May include a security review ticket
185 * number.
186 * @param {string} url The string to wrap as a SafeUrl.
187 * @return {!goog.html.SafeUrl} The value of {@code url}, wrapped in a SafeUrl
188 * object.
189 */
190goog.html.uncheckedconversions.safeUrlFromStringKnownToSatisfyTypeContract =
191 function(justification, url) {
192 // unwrap() called inside an assert so that justification can be optimized
193 // away in production code.
194 goog.asserts.assertString(goog.string.Const.unwrap(justification),
195 'must provide justification');
196 goog.asserts.assert(
197 !goog.string.isEmptyOrWhitespace(goog.string.Const.unwrap(justification)),
198 'must provide non-empty justification');
199 return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
200};
201
202
203/**
204 * Performs an "unchecked conversion" to TrustedResourceUrl from a plain string
205 * that is known to satisfy the TrustedResourceUrl type contract.
206 *
207 * IMPORTANT: Uses of this method must be carefully security-reviewed to ensure
208 * that the value of {@code url} satisfies the TrustedResourceUrl type contract
209 * in all possible program states.
210 *
211 *
212 * @param {!goog.string.Const} justification A constant string explaining why
213 * this use of this method is safe. May include a security review ticket
214 * number.
215 * @param {string} url The string to wrap as a TrustedResourceUrl.
216 * @return {!goog.html.TrustedResourceUrl} The value of {@code url}, wrapped in
217 * a TrustedResourceUrl object.
218 */
219goog.html.uncheckedconversions.
220 trustedResourceUrlFromStringKnownToSatisfyTypeContract =
221 function(justification, url) {
222 // unwrap() called inside an assert so that justification can be optimized
223 // away in production code.
224 goog.asserts.assertString(goog.string.Const.unwrap(justification),
225 'must provide justification');
226 goog.asserts.assert(
227 !goog.string.isEmptyOrWhitespace(goog.string.Const.unwrap(justification)),
228 'must provide non-empty justification');
229 return goog.html.TrustedResourceUrl.
230 createTrustedResourceUrlSecurityPrivateDoNotAccessOrElse(url);
231};