private static final String CLASSNAME = "v-view";
+ public static final String NOTIFICATION_HTML_CONTENT_ALLOWED = "usehtml";
+
private String theme;
private Paintable layout;
for (final Iterator<?> it = childUidl.getChildIterator(); it
.hasNext();) {
final UIDL notification = (UIDL) it.next();
+ boolean htmlContentAllowed = notification
+ .hasAttribute(NOTIFICATION_HTML_CONTENT_ALLOWED);
String html = "";
if (notification.hasAttribute("icon")) {
final String parsedUri = client
html += "<img src=\"" + parsedUri + "\" />";
}
if (notification.hasAttribute("caption")) {
- html += "<h1>"
- + notification.getStringAttribute("caption")
- + "</h1>";
+ String caption = notification
+ .getStringAttribute("caption");
+ if (!htmlContentAllowed) {
+ caption = Util.escapeHTML(caption);
+ caption = caption.replaceAll("\\n", "<br />");
+ }
+ html += "<h1>" + caption + "</h1>";
}
if (notification.hasAttribute("message")) {
- html += "<p>"
- + notification.getStringAttribute("message")
- + "</p>";
+ String message = notification
+ .getStringAttribute("message");
+ if (!htmlContentAllowed) {
+ message = Util.escapeHTML(message);
+ message = message.replaceAll("\\n", "<br />");
+ }
+ html += "<p>" + message + "</p>";
}
final String style = notification.hasAttribute("style") ? notification
if (n.getIcon() != null) {
target.addAttribute("icon", n.getIcon());
}
+ if (n.isHtmlContentAllowed()) {
+ target.addAttribute(
+ VView.NOTIFICATION_HTML_CONTENT_ALLOWED, true);
+ }
target.addAttribute("position", n.getPosition());
target.addAttribute("delay", n.getDelayMsec());
if (n.getStyleName() != null) {
* Shows a notification message on the middle of the window. The message
* automatically disappears ("humanized message").
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption is
+ * rendered as html.
+ *
* @see #showNotification(com.vaadin.ui.Window.Notification)
* @see Notification
*
* message depends on the type, which is one of the basic types defined in
* {@link Notification}, for instance Notification.TYPE_WARNING_MESSAGE.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption is
+ * rendered as html.
+ *
* @see #showNotification(com.vaadin.ui.Window.Notification)
* @see Notification
*
* description on the middle of the window. The message automatically
* disappears ("humanized message").
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption and
+ * description are rendered as html.
+ *
* @see #showNotification(com.vaadin.ui.Window.Notification)
* @see Notification
*
* type, which is one of the basic types defined in {@link Notification},
* for instance Notification.TYPE_WARNING_MESSAGE.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption and
+ * description are rendered as html.
+ *
* @see #showNotification(com.vaadin.ui.Window.Notification)
* @see Notification
*
addNotification(new Notification(caption, description, type));
}
+ /**
+ * Shows a notification consisting of a bigger caption and a smaller
+ * description. The position and behavior of the message depends on the
+ * type, which is one of the basic types defined in {@link Notification},
+ * for instance Notification.TYPE_WARNING_MESSAGE.
+ *
+ * Care should be taken to avoid XSS vulnerabilities if html content is
+ * allowed.
+ *
+ * @see #showNotification(com.vaadin.ui.Window.Notification)
+ * @see Notification
+ *
+ * @param caption
+ * The message caption
+ * @param description
+ * The message description
+ * @param type
+ * The type of message
+ * @param htmlContentAllowed
+ * Whether html in the caption and description should be
+ * displayed as html or as plain text
+ */
+ public void showNotification(String caption, String description, int type,
+ boolean htmlContentAllowed) {
+ addNotification(new Notification(caption, description, type,
+ htmlContentAllowed));
+ }
+
/**
* Shows a notification message.
*
private int position = POSITION_CENTERED;
private int delayMsec = 0;
private String styleName;
+ private boolean htmlContentAllowed;
/**
* Creates a "humanized" notification message.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption
+ * is by default rendered as html.
+ *
* @param caption
* The message to show
*/
/**
* Creates a notification message of the specified type.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption
+ * is by default rendered as html.
+ *
* @param caption
* The message to show
* @param type
* Creates a "humanized" notification message with a bigger caption and
* smaller description.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption
+ * and description are by default rendered as html.
+ *
* @param caption
* The message caption
* @param description
* Creates a notification message of the specified type, with a bigger
* caption and smaller description.
*
+ * Care should be taken to to avoid XSS vulnerabilities as the caption
+ * and description are by default rendered as html.
+ *
* @param caption
* The message caption
* @param description
* The type of message
*/
public Notification(String caption, String description, int type) {
+ this(caption, description, type, true);
+ }
+
+ /**
+ * Creates a notification message of the specified type, with a bigger
+ * caption and smaller description.
+ *
+ * Care should be taken to to avoid XSS vulnerabilities if html is
+ * allowed.
+ *
+ * @param caption
+ * The message caption
+ * @param description
+ * The message description
+ * @param type
+ * The type of message
+ * @param htmlContentAllowed
+ * Whether html in the caption and description should be
+ * displayed as html or as plain text
+ */
+ public Notification(String caption, String description, int type,
+ boolean htmlContentAllowed) {
this.caption = caption;
this.description = description;
+ this.htmlContentAllowed = htmlContentAllowed;
setType(type);
}
public String getStyleName() {
return styleName;
}
+
+ /**
+ * Sets whether html is allowed in the caption and description. If set
+ * to true, the texts are passed to the browser as html and the
+ * developer is responsible for ensuring no harmful html is used. If set
+ * to false, the texts are passed to the browser as plain text.
+ *
+ * @param htmlContentAllowed
+ * true if the texts are used as html, false if used as plain
+ * text
+ */
+ public void setHtmlContentAllowed(boolean htmlContentAllowed) {
+ this.htmlContentAllowed = htmlContentAllowed;
+ }
+
+ /**
+ * Checks whether caption and description are interpreted as html or
+ * plain text.
+ *
+ * @return true if the texts are used as html, false if used as plain
+ * text
+ * @see #setHtmlContentAllowed(boolean)
+ */
+ public boolean isHtmlContentAllowed() {
+ return htmlContentAllowed;
+ }
}
/**
--- /dev/null
+package com.vaadin.tests.components.notification;\r
+\r
+import com.vaadin.tests.components.TestBase;\r
+import com.vaadin.ui.Button;\r
+import com.vaadin.ui.Button.ClickEvent;\r
+import com.vaadin.ui.Button.ClickListener;\r
+import com.vaadin.ui.CheckBox;\r
+import com.vaadin.ui.TextArea;\r
+import com.vaadin.ui.TextField;\r
+import com.vaadin.ui.Window.Notification;\r
+\r
+public class NotificationsHtmlAllowed extends TestBase implements ClickListener {\r
+\r
+ private TextArea messageField;\r
+ private CheckBox htmlAllowedBox;\r
+ private TextField captionField;\r
+\r
+ @Override\r
+ protected void setup() {\r
+ captionField = new TextField("Caption", "Hello <u>world</u>");\r
+ addComponent(captionField);\r
+ messageField = new TextArea("Message",\r
+ "Hello <i>world</i>\nWith a newline <br/>And a html line break");\r
+ messageField.setRows(10);\r
+ addComponent(messageField);\r
+ htmlAllowedBox = new CheckBox("Html content allowed", true);\r
+ addComponent(htmlAllowedBox);\r
+ Button showNotification = new Button("Show notification", this);\r
+ addComponent(showNotification);\r
+ }\r
+\r
+ @Override\r
+ protected String getDescription() {\r
+ return "Test case for htmlAllowed in notifications";\r
+ }\r
+\r
+ @Override\r
+ protected Integer getTicketNumber() {\r
+ return 6097;\r
+ }\r
+\r
+ public void buttonClick(ClickEvent event) {\r
+ Notification n = new Notification((String) captionField.getValue(),\r
+ (String) messageField.getValue(),\r
+ Notification.TYPE_HUMANIZED_MESSAGE,\r
+ htmlAllowedBox.booleanValue());\r
+ event.getButton().getWindow().showNotification(n);\r
+\r
+ }\r
+}\r
projects / vaadin-framework.git / commitdiff