From 8cb9c059a9d4e68521e44d17fd3be98bc605b519 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Leif=20=C3=85strand?= <leif@vaadin.com>
Date: Wed, 10 Aug 2011 11:09:20 +0000
Subject: [PATCH] #6097 Window.showNotification should support plain text in
 addition to Html

svn changeset:20263/svn branch:6.7
---
 .../vaadin/terminal/gwt/client/ui/VView.java  |  24 +++-
 src/com/vaadin/ui/Window.java                 | 106 ++++++++++++++++++
 .../NotificationsHtmlAllowed.html             |  56 +++++++++
 .../NotificationsHtmlAllowed.java             |  50 +++++++++
 4 files changed, 230 insertions(+), 6 deletions(-)
 create mode 100644 tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html
 create mode 100644 tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java

diff --git a/src/com/vaadin/terminal/gwt/client/ui/VView.java b/src/com/vaadin/terminal/gwt/client/ui/VView.java
index 9f1acb52fe..eba6036deb 100644
--- a/src/com/vaadin/terminal/gwt/client/ui/VView.java
+++ b/src/com/vaadin/terminal/gwt/client/ui/VView.java
@@ -47,6 +47,8 @@ public class VView extends SimplePanel implements Container, ResizeHandler,
 
     private static final String CLASSNAME = "v-view";
 
+    public static final String NOTIFICATION_HTML_CONTENT_ALLOWED = "usehtml";
+
     private String theme;
 
     private Paintable layout;
@@ -320,6 +322,8 @@ public class VView extends SimplePanel implements Container, ResizeHandler,
                 for (final Iterator<?> it = childUidl.getChildIterator(); it
                         .hasNext();) {
                     final UIDL notification = (UIDL) it.next();
+                    boolean htmlContentAllowed = notification
+                            .hasAttribute(NOTIFICATION_HTML_CONTENT_ALLOWED);
                     String html = "";
                     if (notification.hasAttribute("icon")) {
                         final String parsedUri = client
@@ -328,14 +332,22 @@ public class VView extends SimplePanel implements Container, ResizeHandler,
                         html += "<img src=\"" + parsedUri + "\" />";
                     }
                     if (notification.hasAttribute("caption")) {
-                        html += "<h1>"
-                                + notification.getStringAttribute("caption")
-                                + "</h1>";
+                        String caption = notification
+                                .getStringAttribute("caption");
+                        if (!htmlContentAllowed) {
+                            caption = Util.escapeHTML(caption);
+                            caption = caption.replaceAll("\\n", "<br />");
+                        }
+                        html += "<h1>" + caption + "</h1>";
                     }
                     if (notification.hasAttribute("message")) {
-                        html += "<p>"
-                                + notification.getStringAttribute("message")
-                                + "</p>";
+                        String message = notification
+                                .getStringAttribute("message");
+                        if (!htmlContentAllowed) {
+                            message = Util.escapeHTML(message);
+                            message = message.replaceAll("\\n", "<br />");
+                        }
+                        html += "<p>" + message + "</p>";
                     }
 
                     final String style = notification.hasAttribute("style") ? notification
diff --git a/src/com/vaadin/ui/Window.java b/src/com/vaadin/ui/Window.java
index 989a8288e2..a16b6d585d 100644
--- a/src/com/vaadin/ui/Window.java
+++ b/src/com/vaadin/ui/Window.java
@@ -663,6 +663,10 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
                 if (n.getIcon() != null) {
                     target.addAttribute("icon", n.getIcon());
                 }
+                if (n.isHtmlContentAllowed()) {
+                    target.addAttribute(
+                            VView.NOTIFICATION_HTML_CONTENT_ALLOWED, true);
+                }
                 target.addAttribute("position", n.getPosition());
                 target.addAttribute("delay", n.getDelayMsec());
                 if (n.getStyleName() != null) {
@@ -1597,6 +1601,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
      * Shows a notification message on the middle of the window. The message
      * automatically disappears ("humanized message").
      * 
+     * Care should be taken to to avoid XSS vulnerabilities as the caption is
+     * rendered as html.
+     * 
      * @see #showNotification(com.vaadin.ui.Window.Notification)
      * @see Notification
      * 
@@ -1612,6 +1619,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
      * message depends on the type, which is one of the basic types defined in
      * {@link Notification}, for instance Notification.TYPE_WARNING_MESSAGE.
      * 
+     * Care should be taken to to avoid XSS vulnerabilities as the caption is
+     * rendered as html.
+     * 
      * @see #showNotification(com.vaadin.ui.Window.Notification)
      * @see Notification
      * 
@@ -1629,6 +1639,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
      * description on the middle of the window. The message automatically
      * disappears ("humanized message").
      * 
+     * Care should be taken to to avoid XSS vulnerabilities as the caption and
+     * description are rendered as html.
+     * 
      * @see #showNotification(com.vaadin.ui.Window.Notification)
      * @see Notification
      * 
@@ -1648,6 +1661,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
      * type, which is one of the basic types defined in {@link Notification},
      * for instance Notification.TYPE_WARNING_MESSAGE.
      * 
+     * Care should be taken to to avoid XSS vulnerabilities as the caption and
+     * description are rendered as html.
+     * 
      * @see #showNotification(com.vaadin.ui.Window.Notification)
      * @see Notification
      * 
@@ -1662,6 +1678,34 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
         addNotification(new Notification(caption, description, type));
     }
 
+    /**
+     * Shows a notification consisting of a bigger caption and a smaller
+     * description. The position and behavior of the message depends on the
+     * type, which is one of the basic types defined in {@link Notification},
+     * for instance Notification.TYPE_WARNING_MESSAGE.
+     * 
+     * Care should be taken to avoid XSS vulnerabilities if html content is
+     * allowed.
+     * 
+     * @see #showNotification(com.vaadin.ui.Window.Notification)
+     * @see Notification
+     * 
+     * @param caption
+     *            The message caption
+     * @param description
+     *            The message description
+     * @param type
+     *            The type of message
+     * @param htmlContentAllowed
+     *            Whether html in the caption and description should be
+     *            displayed as html or as plain text
+     */
+    public void showNotification(String caption, String description, int type,
+            boolean htmlContentAllowed) {
+        addNotification(new Notification(caption, description, type,
+                htmlContentAllowed));
+    }
+
     /**
      * Shows a notification message.
      * 
@@ -1773,10 +1817,14 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
         private int position = POSITION_CENTERED;
         private int delayMsec = 0;
         private String styleName;
+        private boolean htmlContentAllowed;
 
         /**
          * Creates a "humanized" notification message.
          * 
+         * Care should be taken to to avoid XSS vulnerabilities as the caption
+         * is by default rendered as html.
+         * 
          * @param caption
          *            The message to show
          */
@@ -1787,6 +1835,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
         /**
          * Creates a notification message of the specified type.
          * 
+         * Care should be taken to to avoid XSS vulnerabilities as the caption
+         * is by default rendered as html.
+         * 
          * @param caption
          *            The message to show
          * @param type
@@ -1800,6 +1851,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
          * Creates a "humanized" notification message with a bigger caption and
          * smaller description.
          * 
+         * Care should be taken to to avoid XSS vulnerabilities as the caption
+         * and description are by default rendered as html.
+         * 
          * @param caption
          *            The message caption
          * @param description
@@ -1813,6 +1867,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
          * Creates a notification message of the specified type, with a bigger
          * caption and smaller description.
          * 
+         * Care should be taken to to avoid XSS vulnerabilities as the caption
+         * and description are by default rendered as html.
+         * 
          * @param caption
          *            The message caption
          * @param description
@@ -1821,8 +1878,31 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
          *            The type of message
          */
         public Notification(String caption, String description, int type) {
+            this(caption, description, type, true);
+        }
+
+        /**
+         * Creates a notification message of the specified type, with a bigger
+         * caption and smaller description.
+         * 
+         * Care should be taken to to avoid XSS vulnerabilities if html is
+         * allowed.
+         * 
+         * @param caption
+         *            The message caption
+         * @param description
+         *            The message description
+         * @param type
+         *            The type of message
+         * @param htmlContentAllowed
+         *            Whether html in the caption and description should be
+         *            displayed as html or as plain text
+         */
+        public Notification(String caption, String description, int type,
+                boolean htmlContentAllowed) {
             this.caption = caption;
             this.description = description;
+            this.htmlContentAllowed = htmlContentAllowed;
             setType(type);
         }
 
@@ -1980,6 +2060,32 @@ public class Window extends Panel implements URIHandler, ParameterHandler,
         public String getStyleName() {
             return styleName;
         }
+
+        /**
+         * Sets whether html is allowed in the caption and description. If set
+         * to true, the texts are passed to the browser as html and the
+         * developer is responsible for ensuring no harmful html is used. If set
+         * to false, the texts are passed to the browser as plain text.
+         * 
+         * @param htmlContentAllowed
+         *            true if the texts are used as html, false if used as plain
+         *            text
+         */
+        public void setHtmlContentAllowed(boolean htmlContentAllowed) {
+            this.htmlContentAllowed = htmlContentAllowed;
+        }
+
+        /**
+         * Checks whether caption and description are interpreted as html or
+         * plain text.
+         * 
+         * @return true if the texts are used as html, false if used as plain
+         *         text
+         * @see #setHtmlContentAllowed(boolean)
+         */
+        public boolean isHtmlContentAllowed() {
+            return htmlContentAllowed;
+        }
     }
 
     /**
diff --git a/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html
new file mode 100644
index 0000000000..a6a40224f7
--- /dev/null
+++ b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head profile="http://selenium-ide.openqa.org/profiles/test-case">
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<link rel="selenium.base" href="" />
+<title>New Test</title>
+</head>
+<body>
+<table cellpadding="1" cellspacing="1" border="1">
+<thead>
+<tr><td rowspan="1" colspan="3">NotificationsHtmlAllowed</td></tr>
+</thead><tbody>
+<tr>
+	<td>open</td>
+	<td>/run/com.vaadin.tests.components.notification.NotificationsHtmlAllowed?restartApplication</td>
+	<td></td>
+</tr>
+<tr>
+	<td>click</td>
+	<td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[3]/VButton[0]/domChild[0]/domChild[0]</td>
+	<td></td>
+</tr>
+<tr>
+	<td>screenCapture</td>
+	<td></td>
+	<td>html</td>
+</tr>
+<tr>
+	<td>closeNotification</td>
+	<td>//body/div[2]</td>
+	<td>0,0</td>
+</tr>
+<tr>
+	<td>mouseClick</td>
+	<td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[2]/VCheckBox[0]/domChild[0]</td>
+	<td>66,2</td>
+</tr>
+<tr>
+	<td>click</td>
+	<td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[3]/VButton[0]/domChild[0]/domChild[0]</td>
+	<td></td>
+</tr>
+<tr>
+	<td>screenCapture</td>
+	<td><br /></td>
+	<td>plain</td>
+</tr>
+<tr>
+	<td>closeNotification</td>
+	<td>//body/div[2]</td>
+	<td>0,0</td>
+</tr>
+</tbody></table>
+</body>
+</html>
diff --git a/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java
new file mode 100644
index 0000000000..58f6c12f44
--- /dev/null
+++ b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java
@@ -0,0 +1,50 @@
+package com.vaadin.tests.components.notification;
+
+import com.vaadin.tests.components.TestBase;
+import com.vaadin.ui.Button;
+import com.vaadin.ui.Button.ClickEvent;
+import com.vaadin.ui.Button.ClickListener;
+import com.vaadin.ui.CheckBox;
+import com.vaadin.ui.TextArea;
+import com.vaadin.ui.TextField;
+import com.vaadin.ui.Window.Notification;
+
+public class NotificationsHtmlAllowed extends TestBase implements ClickListener {
+
+    private TextArea messageField;
+    private CheckBox htmlAllowedBox;
+    private TextField captionField;
+
+    @Override
+    protected void setup() {
+        captionField = new TextField("Caption", "Hello <u>world</u>");
+        addComponent(captionField);
+        messageField = new TextArea("Message",
+                "Hello <i>world</i>\nWith a newline <br/>And a html line break");
+        messageField.setRows(10);
+        addComponent(messageField);
+        htmlAllowedBox = new CheckBox("Html content allowed", true);
+        addComponent(htmlAllowedBox);
+        Button showNotification = new Button("Show notification", this);
+        addComponent(showNotification);
+    }
+
+    @Override
+    protected String getDescription() {
+        return "Test case for htmlAllowed in notifications";
+    }
+
+    @Override
+    protected Integer getTicketNumber() {
+        return 6097;
+    }
+
+    public void buttonClick(ClickEvent event) {
+        Notification n = new Notification((String) captionField.getValue(),
+                (String) messageField.getValue(),
+                Notification.TYPE_HUMANIZED_MESSAGE,
+                htmlAllowedBox.booleanValue());
+        event.getButton().getWindow().showNotification(n);
+
+    }
+}
-- 
2.39.5