import com.vaadin.terminal.ErrorMessage;
import com.vaadin.terminal.PaintException;
import com.vaadin.terminal.PaintTarget;
+import com.vaadin.terminal.gwt.server.AbstractApplicationServlet;
/**
* Interface that implements a method for validating if an {@link Object} is
/**
* Exception that is thrown by a {@link Validator} when a value is invalid.
*
+ * <p>
+ * The default implementation of InvalidValueException does not support HTML
+ * in error messages. To enable HTML support, override
+ * {@link #getHtmlMessage()} and use the subclass in validators.
+ * </p>
+ *
* @author IT Mill Ltd.
* @version
* @VERSION@
target.addAttribute("level", "error");
// Error message
- final String message = getLocalizedMessage();
+ final String message = getHtmlMessage();
if (message != null) {
target.addText(message);
}
target.endTag("error");
}
+ /**
+ * Returns the message of the error in HTML.
+ *
+ * Note that this API may change in future versions.
+ */
+ protected String getHtmlMessage() {
+ return AbstractApplicationServlet
+ .safeEscapeForHtml(getLocalizedMessage());
+ }
+
/*
* (non-Javadoc)
*
* (converted to string using {@link #toString()}) or "null" if the value is
* null.
* </p>
+ * <p>
+ * The default implementation of AbstractValidator does not support HTML in
+ * error messages. To enable HTML support, override
+ * {@link InvalidValueException#getHtmlMessage()} and throw such exceptions from
+ * {@link #validate(Object)}.
+ * </p>
*
* @author IT Mill Ltd.
* @version
import java.io.PrintWriter;
import java.io.StringWriter;
+import com.vaadin.terminal.gwt.server.AbstractApplicationServlet;
+
/**
* <code>SystemError</code> is a runtime exception caused by error in system.
* The system error can be shown to the user as it implements
* <code>ErrorMessage</code> interface, but contains technical information such
* as stack trace and exception.
*
+ * SystemError does not support HTML in error messages or stack traces. If HTML
+ * messages are required, use {@link UserError} or a custom implementation of
+ * {@link ErrorMessage}.
+ *
* @author IT Mill Ltd.
* @version
* @VERSION@
target.startTag("error");
target.addAttribute("level", "system");
+ String message = getHtmlMessage();
+
+ target.addXMLSection("div", message,
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd");
+
+ target.endTag("error");
+
+ }
+
+ /**
+ * Returns the message of the error in HTML.
+ *
+ * Note that this API may change in future versions.
+ */
+ protected String getHtmlMessage() {
StringBuilder sb = new StringBuilder();
final String message = getLocalizedMessage();
if (message != null) {
sb.append("<h2>");
- sb.append(message);
+ sb.append(AbstractApplicationServlet.safeEscapeForHtml(message));
sb.append("</h2>");
}
final StringWriter buffer = new StringWriter();
cause.printStackTrace(new PrintWriter(buffer));
sb.append("<pre>");
- sb.append(buffer.toString());
+ sb.append(AbstractApplicationServlet.safeEscapeForHtml(buffer
+ .toString()));
sb.append("</pre>");
}
-
- target.addXMLSection("div", sb.toString(),
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd");
-
- target.endTag("error");
-
+ return sb.toString();
}
/**
package com.vaadin.terminal;
+import com.vaadin.terminal.gwt.server.AbstractApplicationServlet;
+
/**
* <code>UserError</code> is a controlled error occurred in application. User
* errors are occur in normal usage of the application and guide the user.
*/
public static final int CONTENT_UIDL = 2;
+ /**
+ * Content mode, where the error contains XHTML.
+ */
+ public static final int CONTENT_XHTML = 3;
+
/**
* Content mode.
*/
level = errorLevel;
}
- /* Documenten in interface */
+ /* Documented in interface */
public int getErrorLevel() {
return level;
}
- /* Documenten in interface */
+ /* Documented in interface */
public void addListener(RepaintRequestListener listener) {
}
- /* Documenten in interface */
+ /* Documented in interface */
public void removeListener(RepaintRequestListener listener) {
}
- /* Documenten in interface */
+ /* Documented in interface */
public void requestRepaint() {
}
- /* Documenten in interface */
+ /* Documented in interface */
public void paint(PaintTarget target) throws PaintException {
target.startTag("error");
// Paint the message
switch (mode) {
case CONTENT_TEXT:
- target.addText(msg);
+ target.addText(AbstractApplicationServlet.safeEscapeForHtml(msg));
break;
case CONTENT_UIDL:
target.addUIDL(msg);
break;
case CONTENT_PREFORMATTED:
- target.startTag("pre");
+ target.addText("<pre>"
+ + AbstractApplicationServlet.safeEscapeForHtml(msg)
+ + "</pre>");
+ break;
+ case CONTENT_XHTML:
target.addText(msg);
- target.endTag("pre");
+ break;
}
target.endTag("error");
}
- /* Documenten in interface */
+ /* Documented in interface */
public void requestRepaintRequests() {
}
/**
* <p>
- * Gets the component's description. The description can be used to briefly
- * describe the state of the component to the user. The description string
- * may contain certain XML tags:
+ * Gets the component's description, used in tooltips and can be displayed
+ * directly in certain other components such as forms. The description can
+ * be used to briefly describe the state of the component to the user. The
+ * description string may contain certain XML tags:
* </p>
*
* <p>
* {@link com.vaadin.terminal.Paintable.RepaintRequestEvent
* RepaintRequestEvent}.
*
+ * The description is displayed as HTML/XHTML in tooltips or directly in
+ * certain components so care should be taken to avoid creating the
+ * possibility for HTML injection and possibly XSS vulnerabilities.
+ *
* @param description
* the new description string for the component.
*/
* Creates a new empty panel with caption. Default layout is used.
*
* @param caption
- * the caption used in the panel.
+ * the caption used in the panel (HTML/XHTML).
*/
public Panel(String caption) {
this(caption, null);
* Creates a new empty panel with the given caption and content.
*
* @param caption
- * the caption of the panel.
+ * the caption of the panel (HTML/XHTML).
* @param content
* the content used in the panel.
*/
setCaption(caption);
}
+ /**
+ * Sets the caption of the panel.
+ *
+ * Note that the caption is interpreted as HTML/XHTML and therefore care
+ * should be taken not to enable HTML injection and XSS attacks using panel
+ * captions. This behavior may change in future versions.
+ *
+ * @see AbstractComponent#setCaption(String)
+ */
+ @Override
+ public void setCaption(String caption) {
+ super.setCaption(caption);
+ }
+
/**
* Gets the current layout of the panel.
*