使用 UiBinder 时是否需要 GWT SafeHtml？

Question

Let's say you have the following MyPanel.ui.xml :

<!DOCTYPE ui:UiBinder SYSTEM "http://dl.google.com/gwt/DTD/xhtml.ent">
<ui:UiBinder xmlns:ui="urn:ui:com.google.gwt.uibinder"
    xmlns:gwt="urn:import:com.google.gwt.user.client.ui">
    <div>
        <span id="content">Some content</span>

        <gwt:RadioButton ...>
            ...
        </gwt:RadioButton>

        <!-- etc. -->
    </div>
</ui:UiBinder>

And this "maps" to MyPanel.java :

public class MyPanel extends Composite {
    private RadioButton radioButton;
    // ...
}

Then are there any use cases where you would want/need to use SafeHtml or SafeHtmlBuilder, or is the "Safe*" API only needed when working with HTML objects and their underlying DOM structures?

If there are use cases where UiBinder-backed composites would need to use Safe*, perhaps a simple code example would help me connect the dots. Thanks in advance!

Answer 1

A simple example where you should use SafeHTML in conjunction with UiBinder:

<!DOCTYPE ui:UiBinder SYSTEM "http://dl.google.com/gwt/DTD/xhtml.ent">
<ui:UiBinder xmlns:ui="urn:ui:com.google.gwt.uibinder"
    xmlns:gwt="urn:import:com.google.gwt.user.client.ui">
    <gwt:HTMLPanel>
        <gwt:HTML ui:field="myHtml"/>
    </g:HTMLPanel>
</ui:UiBinder>

public class MyPanel extends Composite {
    private HTML myHtml;
    // ...
}

Here you should use myHtml.setHTML(SafeHTML) ^[*] . The reason for that is, that this is the only place in the example, where user provided content might occur. User content can't occur in the UiBinder template itself (because that's static: fixed at compile time).

So the difference between requiring SafeHTML or not, is equivalent to the difference between trusting user provided content vs. trusting developer provided content.

^{[*] In your own example, you should use one of RadioButton's SafeHTML constructors}