diff options
| author | Leif Åstrand <leif@vaadin.com> | 2011-08-10 11:09:20 +0000 |
|---|---|---|
| committer | Leif Åstrand <leif@vaadin.com> | 2011-08-10 11:09:20 +0000 |
| commit | 8cb9c059a9d4e68521e44d17fd3be98bc605b519 (patch) | |
| tree | efc20efd846cdc694b7325f2529cd9751c315d7f | |
| parent | e23d78f8be9c3ce471bab9d43ef8c875902a0686 (diff) | |
| download | vaadin-framework-8cb9c059a9d4e68521e44d17fd3be98bc605b519.tar.gz vaadin-framework-8cb9c059a9d4e68521e44d17fd3be98bc605b519.zip | |
#6097 Window.showNotification should support plain text in addition to Html
svn changeset:20263/svn branch:6.7
4 files changed, 230 insertions, 6 deletions
diff --git a/src/com/vaadin/terminal/gwt/client/ui/VView.java b/src/com/vaadin/terminal/gwt/client/ui/VView.java index 9f1acb52fe..eba6036deb 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VView.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VView.java @@ -47,6 +47,8 @@ public class VView extends SimplePanel implements Container, ResizeHandler, private static final String CLASSNAME = "v-view"; + public static final String NOTIFICATION_HTML_CONTENT_ALLOWED = "usehtml"; + private String theme; private Paintable layout; @@ -320,6 +322,8 @@ public class VView extends SimplePanel implements Container, ResizeHandler, for (final Iterator<?> it = childUidl.getChildIterator(); it .hasNext();) { final UIDL notification = (UIDL) it.next(); + boolean htmlContentAllowed = notification + .hasAttribute(NOTIFICATION_HTML_CONTENT_ALLOWED); String html = ""; if (notification.hasAttribute("icon")) { final String parsedUri = client @@ -328,14 +332,22 @@ public class VView extends SimplePanel implements Container, ResizeHandler, html += "<img src=\"" + parsedUri + "\" />"; } if (notification.hasAttribute("caption")) { - html += "<h1>" - + notification.getStringAttribute("caption") - + "</h1>"; + String caption = notification + .getStringAttribute("caption"); + if (!htmlContentAllowed) { + caption = Util.escapeHTML(caption); + caption = caption.replaceAll("\\n", "<br />"); + } + html += "<h1>" + caption + "</h1>"; } if (notification.hasAttribute("message")) { - html += "<p>" - + notification.getStringAttribute("message") - + "</p>"; + String message = notification + .getStringAttribute("message"); + if (!htmlContentAllowed) { + message = Util.escapeHTML(message); + message = message.replaceAll("\\n", "<br />"); + } + html += "<p>" + message + "</p>"; } final String style = notification.hasAttribute("style") ? notification diff --git a/src/com/vaadin/ui/Window.java b/src/com/vaadin/ui/Window.java index 989a8288e2..a16b6d585d 100644 --- a/src/com/vaadin/ui/Window.java +++ b/src/com/vaadin/ui/Window.java @@ -663,6 +663,10 @@ public class Window extends Panel implements URIHandler, ParameterHandler, if (n.getIcon() != null) { target.addAttribute("icon", n.getIcon()); } + if (n.isHtmlContentAllowed()) { + target.addAttribute( + VView.NOTIFICATION_HTML_CONTENT_ALLOWED, true); + } target.addAttribute("position", n.getPosition()); target.addAttribute("delay", n.getDelayMsec()); if (n.getStyleName() != null) { @@ -1597,6 +1601,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * Shows a notification message on the middle of the window. The message * automatically disappears ("humanized message"). * + * Care should be taken to to avoid XSS vulnerabilities as the caption is + * rendered as html. + * * @see #showNotification(com.vaadin.ui.Window.Notification) * @see Notification * @@ -1612,6 +1619,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * message depends on the type, which is one of the basic types defined in * {@link Notification}, for instance Notification.TYPE_WARNING_MESSAGE. * + * Care should be taken to to avoid XSS vulnerabilities as the caption is + * rendered as html. + * * @see #showNotification(com.vaadin.ui.Window.Notification) * @see Notification * @@ -1629,6 +1639,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * description on the middle of the window. The message automatically * disappears ("humanized message"). * + * Care should be taken to to avoid XSS vulnerabilities as the caption and + * description are rendered as html. + * * @see #showNotification(com.vaadin.ui.Window.Notification) * @see Notification * @@ -1648,6 +1661,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * type, which is one of the basic types defined in {@link Notification}, * for instance Notification.TYPE_WARNING_MESSAGE. * + * Care should be taken to to avoid XSS vulnerabilities as the caption and + * description are rendered as html. + * * @see #showNotification(com.vaadin.ui.Window.Notification) * @see Notification * @@ -1663,6 +1679,34 @@ public class Window extends Panel implements URIHandler, ParameterHandler, } /** + * Shows a notification consisting of a bigger caption and a smaller + * description. The position and behavior of the message depends on the + * type, which is one of the basic types defined in {@link Notification}, + * for instance Notification.TYPE_WARNING_MESSAGE. + * + * Care should be taken to avoid XSS vulnerabilities if html content is + * allowed. + * + * @see #showNotification(com.vaadin.ui.Window.Notification) + * @see Notification + * + * @param caption + * The message caption + * @param description + * The message description + * @param type + * The type of message + * @param htmlContentAllowed + * Whether html in the caption and description should be + * displayed as html or as plain text + */ + public void showNotification(String caption, String description, int type, + boolean htmlContentAllowed) { + addNotification(new Notification(caption, description, type, + htmlContentAllowed)); + } + + /** * Shows a notification message. * * @see Notification @@ -1773,10 +1817,14 @@ public class Window extends Panel implements URIHandler, ParameterHandler, private int position = POSITION_CENTERED; private int delayMsec = 0; private String styleName; + private boolean htmlContentAllowed; /** * Creates a "humanized" notification message. * + * Care should be taken to to avoid XSS vulnerabilities as the caption + * is by default rendered as html. + * * @param caption * The message to show */ @@ -1787,6 +1835,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, /** * Creates a notification message of the specified type. * + * Care should be taken to to avoid XSS vulnerabilities as the caption + * is by default rendered as html. + * * @param caption * The message to show * @param type @@ -1800,6 +1851,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * Creates a "humanized" notification message with a bigger caption and * smaller description. * + * Care should be taken to to avoid XSS vulnerabilities as the caption + * and description are by default rendered as html. + * * @param caption * The message caption * @param description @@ -1813,6 +1867,9 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * Creates a notification message of the specified type, with a bigger * caption and smaller description. * + * Care should be taken to to avoid XSS vulnerabilities as the caption + * and description are by default rendered as html. + * * @param caption * The message caption * @param description @@ -1821,8 +1878,31 @@ public class Window extends Panel implements URIHandler, ParameterHandler, * The type of message */ public Notification(String caption, String description, int type) { + this(caption, description, type, true); + } + + /** + * Creates a notification message of the specified type, with a bigger + * caption and smaller description. + * + * Care should be taken to to avoid XSS vulnerabilities if html is + * allowed. + * + * @param caption + * The message caption + * @param description + * The message description + * @param type + * The type of message + * @param htmlContentAllowed + * Whether html in the caption and description should be + * displayed as html or as plain text + */ + public Notification(String caption, String description, int type, + boolean htmlContentAllowed) { this.caption = caption; this.description = description; + this.htmlContentAllowed = htmlContentAllowed; setType(type); } @@ -1980,6 +2060,32 @@ public class Window extends Panel implements URIHandler, ParameterHandler, public String getStyleName() { return styleName; } + + /** + * Sets whether html is allowed in the caption and description. If set + * to true, the texts are passed to the browser as html and the + * developer is responsible for ensuring no harmful html is used. If set + * to false, the texts are passed to the browser as plain text. + * + * @param htmlContentAllowed + * true if the texts are used as html, false if used as plain + * text + */ + public void setHtmlContentAllowed(boolean htmlContentAllowed) { + this.htmlContentAllowed = htmlContentAllowed; + } + + /** + * Checks whether caption and description are interpreted as html or + * plain text. + * + * @return true if the texts are used as html, false if used as plain + * text + * @see #setHtmlContentAllowed(boolean) + */ + public boolean isHtmlContentAllowed() { + return htmlContentAllowed; + } } /** diff --git a/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html new file mode 100644 index 0000000000..a6a40224f7 --- /dev/null +++ b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.html @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head profile="http://selenium-ide.openqa.org/profiles/test-case"> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<link rel="selenium.base" href="" /> +<title>New Test</title> +</head> +<body> +<table cellpadding="1" cellspacing="1" border="1"> +<thead> +<tr><td rowspan="1" colspan="3">NotificationsHtmlAllowed</td></tr> +</thead><tbody> +<tr> + <td>open</td> + <td>/run/com.vaadin.tests.components.notification.NotificationsHtmlAllowed?restartApplication</td> + <td></td> +</tr> +<tr> + <td>click</td> + <td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[3]/VButton[0]/domChild[0]/domChild[0]</td> + <td></td> +</tr> +<tr> + <td>screenCapture</td> + <td></td> + <td>html</td> +</tr> +<tr> + <td>closeNotification</td> + <td>//body/div[2]</td> + <td>0,0</td> +</tr> +<tr> + <td>mouseClick</td> + <td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[2]/VCheckBox[0]/domChild[0]</td> + <td>66,2</td> +</tr> +<tr> + <td>click</td> + <td>vaadin=runcomvaadintestscomponentsnotificationNotificationsHtmlAllowed::/VVerticalLayout[0]/ChildComponentContainer[1]/VVerticalLayout[0]/ChildComponentContainer[3]/VButton[0]/domChild[0]/domChild[0]</td> + <td></td> +</tr> +<tr> + <td>screenCapture</td> + <td><br /></td> + <td>plain</td> +</tr> +<tr> + <td>closeNotification</td> + <td>//body/div[2]</td> + <td>0,0</td> +</tr> +</tbody></table> +</body> +</html> diff --git a/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java new file mode 100644 index 0000000000..58f6c12f44 --- /dev/null +++ b/tests/src/com/vaadin/tests/components/notification/NotificationsHtmlAllowed.java @@ -0,0 +1,50 @@ +package com.vaadin.tests.components.notification;
+
+import com.vaadin.tests.components.TestBase;
+import com.vaadin.ui.Button;
+import com.vaadin.ui.Button.ClickEvent;
+import com.vaadin.ui.Button.ClickListener;
+import com.vaadin.ui.CheckBox;
+import com.vaadin.ui.TextArea;
+import com.vaadin.ui.TextField;
+import com.vaadin.ui.Window.Notification;
+
+public class NotificationsHtmlAllowed extends TestBase implements ClickListener {
+
+ private TextArea messageField;
+ private CheckBox htmlAllowedBox;
+ private TextField captionField;
+
+ @Override
+ protected void setup() {
+ captionField = new TextField("Caption", "Hello <u>world</u>");
+ addComponent(captionField);
+ messageField = new TextArea("Message",
+ "Hello <i>world</i>\nWith a newline <br/>And a html line break");
+ messageField.setRows(10);
+ addComponent(messageField);
+ htmlAllowedBox = new CheckBox("Html content allowed", true);
+ addComponent(htmlAllowedBox);
+ Button showNotification = new Button("Show notification", this);
+ addComponent(showNotification);
+ }
+
+ @Override
+ protected String getDescription() {
+ return "Test case for htmlAllowed in notifications";
+ }
+
+ @Override
+ protected Integer getTicketNumber() {
+ return 6097;
+ }
+
+ public void buttonClick(ClickEvent event) {
+ Notification n = new Notification((String) captionField.getValue(),
+ (String) messageField.getValue(),
+ Notification.TYPE_HUMANIZED_MESSAGE,
+ htmlAllowedBox.booleanValue());
+ event.getButton().getWindow().showNotification(n);
+
+ }
+}
|