Sanitize the HTML placed in a Label

Now that we support HTML markup in Labels, we need to make sure it is safe to display in the user’s browser. Change-Id: I17cd06a4ade1e7a58ffeb9ba256ac83a166afd0d

Sanitize the HTML placed in a Label
Now that we support HTML markup in Labels, we need to make sure it is safe to display in the user’s browser. Change-Id: I17cd06a4ade1e7a58ffeb9ba256ac83a166afd0d
7d21acba · Jeffrey I. Schiller · 82efdcf8 · 7d21acba
Unverified Commit 7d21acba authored Jul 29, 2016 by Jeffrey I. Schiller
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockLabel.java ...ppinventor/client/editor/simple/components/MockLabel.java +2 -1

No files found.
--- a/appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockLabel.java
+++ b/appinventor/appengine/src/com/google/appinventor/client/editor/simple/components/MockLabel.java
@@ -8,6 +8,7 @@ package com.google.appinventor.client.editor.simple.components;

 import static com.google.appinventor.client.Ode.MESSAGES;
 import com.google.appinventor.client.editor.simple.SimpleEditor;
+import com.google.gwt.safehtml.shared.SimpleHtmlSanitizer;
 import com.google.gwt.user.client.ui.InlineHTML;

 /**
@@ -99,7 +100,7 @@ public final class MockLabel extends MockVisibleComponent {
  private void setTextProperty(String text) {
    savedText = text;
    if (getPropertyValue(PROPERTY_NAME_HTMLFORMAT).equals("True")) {
-      labelWidget.setHTML(text);
+      labelWidget.setHTML(SimpleHtmlSanitizer.sanitizeHtml(text).asString());
    } else {
      labelWidget.setText(text);
    }