Enum Constant Detail

• ESCAPE_HTML

  public static final EscapingMode ESCAPE_HTML

  Encodes HTML special characters.

• NORMALIZE_HTML

  public static final EscapingMode NORMALIZE_HTML

  Escapes HTML except preserves ampersands and entities.

• ESCAPE_HTML_RCDATA

  public static final EscapingMode ESCAPE_HTML_RCDATA

  Like ESCAPE_HTML but normalizes known safe HTML since RCDATA can't contain tags.

• ESCAPE_HTML_ATTRIBUTE

  public static final EscapingMode ESCAPE_HTML_ATTRIBUTE

  Encodes HTML special characters, including quotes, so that the value can appear as part of a quoted attribute value. This differs from ESCAPE_HTML in that it strips tags from known safe HTML.

• ESCAPE_HTML_ATTRIBUTE_NOSPACE

  public static final EscapingMode ESCAPE_HTML_ATTRIBUTE_NOSPACE

  Encodes HTML special characters and spaces so that the value can appear as part of an unquoted attribute.

• FILTER_HTML_ELEMENT_NAME

  public static final EscapingMode FILTER_HTML_ELEMENT_NAME

  Only allow a valid identifier - letters, numbers, dashes, and underscores. Throw a runtime exception otherwise.

• FILTER_HTML_ATTRIBUTES

  public static final EscapingMode FILTER_HTML_ATTRIBUTES

  Only allow a valid identifier - letters, numbers, dashes, and underscores or a subset of attribute value pairs. Throw a runtime exception otherwise.

• ESCAPE_JS_STRING

  public static final EscapingMode ESCAPE_JS_STRING

  Encode all HTML special characters and quotes, and JS newlines as if to allow them to appear literally in a JS string.

• ESCAPE_JS_VALUE

  public static final EscapingMode ESCAPE_JS_VALUE

  If a number or boolean, output as a JS literal. Otherwise surround in quotes and escape. Make sure all HTML and space characters are quoted.

• ESCAPE_JS_REGEX

  public static final EscapingMode ESCAPE_JS_REGEX

  Like ESCAPE_JS_STRING but additionally escapes RegExp specials like .+*?$^[](){}.

• ESCAPE_CSS_STRING

  public static final EscapingMode ESCAPE_CSS_STRING

  Must escape all quotes, newlines, and the close parenthesis using \ followed by hex followed by a space.

• FILTER_CSS_VALUE

  public static final EscapingMode FILTER_CSS_VALUE

  If the value is numeric, renders it as a numeric value so that {$n}px works as expected, otherwise if it is a valid CSS identifier, outputs it without escaping, otherwise replaces with "zSoyz" to indicate the value was rejected.

• ESCAPE_URI

  public static final EscapingMode ESCAPE_URI

  Percent encode all URI special characters and characters that cannot appear unescaped in a URI such as spaces. Make sure to encode pluses and parentheses. This corresponds to the JavaScript function encodeURIComponent.

• NORMALIZE_URI

  public static final EscapingMode NORMALIZE_URI

  Percent encode non-URI characters that cannot appear unescaped in a URI such as spaces, and encode characters that are not special in URIs that are special in languages that URIs are embedded in such as parentheses and quotes. This corresponds to the JavaScript function encodeURI but additionally encodes quotes parentheses, and percent signs that are not followed by two hex digits. This is not necessarily HTML embeddable because we want ampersands to get HTML-escaped.

• FILTER_NORMALIZE_URI

  public static final EscapingMode FILTER_NORMALIZE_URI

  Like NORMALIZE_URI, but filters out everything except relative and http/https URIs.

• FILTER_NORMALIZE_MEDIA_URI

  public static final EscapingMode FILTER_NORMALIZE_MEDIA_URI

  Like FILTER_NORMALIZE_URI, but also accepts some data: URIs, since image sources don't execute script in the same origin as the page. Although image decoding 0-days are discovered from time to time, a templating language can't realistically try to protect against such a thing.

• FILTER_TRUSTED_RESOURCE_URI

  public static final EscapingMode FILTER_TRUSTED_RESOURCE_URI

  Makes sure there URIs are trusted and not input variables. Currently used only for script sources.

• NO_AUTOESCAPE

  public static final EscapingMode NO_AUTOESCAPE

  The explicit rejection of escaping.

• TEXT

  public static final EscapingMode TEXT

  Outputs plain text and performs no escaping. Unlike noAutoescape, this will not fail if passed SanitizedContent of kind TEXT, but this may never be used manually by the developer. This has no escaping.

Field Detail

• directiveName

  public final String directiveName

  The Soy {print} directive that specifies this escaping mode.

• isHtmlEmbeddable

  public final boolean isHtmlEmbeddable

  True iff the output does not contain quotes so can be embedded in HTML attribute values.

• contentKind

  @Nullable
  public final SanitizedContent.ContentKind contentKind

  The kind of content produced by the escaping directive associated with this escaping mode.

• isInternalOnly

  public final boolean isInternalOnly

  Whether this directive is only for internal use by the contextual autoescaper.

Method Detail

• values

  public static EscapingMode[] values()

  Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:

  for (EscapingMode c : EscapingMode.values())
      System.out.println(c);
  

  Returns:

  an array containing the constants of this enum type, in the order they are declared

• valueOf

  public static EscapingMode valueOf(String name)

  Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)

  Parameters:

  name - the name of the enum constant to be returned.

  Returns:

  the enum constant with the specified name

  Throws:

  IllegalArgumentException - if this enum type has no constant with the specified name

  NullPointerException - if the argument is null

• fromDirective

  @Nullable
  public static EscapingMode fromDirective(String directiveName)

  The escaping mode corresponding to the given directive or null.