开发者

When using MVC in GWT, is it better to have the model use raw strings or SafeHtml?

开发者 https://www.devze.com 2023-04-08 13:37 出处:网络
I\'m writing code in GWT that follows MVC pattern. By the time my view renders, my strings should be escaped into SafeHtml.

I'm writing code in GWT that follows MVC pattern.

By the time my view renders, my strings should be escaped into SafeHtml.

I'm trying to decide whether to have my model operate in terms of unsafe strings and do the conversion in the view, or to use SafeHtml in the model and identify errors in w开发者_JS百科hen bulding the model.

Is there a best practice?

My reasoning for doing the SafeHtml conversion late is that it is a rendering issue, and that there may not be a need to pay the cost of escaping for strings that are not eventually displayed. On the other hand, data that cannot be converted to SafeHtml is an issue that should be caught early and preclude the model from being "valid".


I would use raw string objects since the model should be view agnostic, should not have any dependencies to any presentation framework, let's suppose tomorrow you would write a thin eclipse client and communicate with your model using web services, you do not need to retrieve SafeHtml scaped strings just strings, desktop clients communicating with web services or even command line clients should not need to know anything about SafeHtml strings.

Just my two cents! Pablo


Pablo is right, but there is another point. SafeHtml is used to secure your application, because the client shouldn't trust the server and vice-verse. Now if you would use SafeHtml directly in the model you would trust the server with the assumption that the server provides the correct escaped and sanitized HTML code. To avoid this use raw strings and convert them to SafeHtml in the view.

0

精彩评论

暂无评论...
验证码 换一张
取 消