Fixed XSS Vulnerability.

Author: kevzlou7979

gwt-material/src/main/java/gwt/material/design/client/base/AbstractButton.java

@@ -24,6 +24,8 @@
 import com.google.gwt.event.logical.shared.ValueChangeEvent;
 import com.google.gwt.event.logical.shared.ValueChangeHandler;
 import com.google.gwt.event.shared.HandlerRegistration;
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.user.client.History;
 import com.google.gwt.user.client.ui.HasValue;
 import gwt.material.design.client.base.mixin.ActivatesMixin;
@@ -36,7 +38,7 @@
  * @author Ben Dol
  */
 public abstract class AbstractButton extends MaterialWidget implements HasHref, HasGrid, HasActivates,
-        HasTargetHistoryToken, HasType<ButtonType>, HasValue<String> {
+    HasTargetHistoryToken, HasType<ButtonType>, HasValue<String>, HasSafeText {
 
     private String targetHistoryToken;
     private Span span = new Span();
@@ -169,6 +171,21 @@ public void setText(String text) {
         }
     }
 
+    @Override
+    public void setHtml(SafeHtml html) {
+        span.setHtml(html);
+    }
+
+    @Override
+    public void setSanitizer(HtmlSanitizer sanitizer) {
+        span.setSanitizer(sanitizer);
+    }
+
+    @Override
+    public HtmlSanitizer getSanitizer() {
+        return span.getSanitizer();
+    }
+
     /**
      * Set the target history token for the widget. Note, that you should use either
      * {@link #setTargetHistoryToken(String)} or {@link #setHref(String)}, but not both as

gwt-material/src/main/java/gwt/material/design/client/base/AbstractValueWidget.java

@@ -86,9 +86,6 @@ public void setValue(V value, boolean fireEvents, boolean reload) {
         }
     }
 
-    //TODO:
-    //setSanitizer();
-
     @Override
     public void setErrorText(String errorText) {
         getStatusTextMixin().setErrorText(errorText);

gwt-material/src/main/java/gwt/material/design/client/base/DefaultHtmlSanitizer.java

@@ -0,0 +1,35 @@
+/*
+ * #%L
+ * GwtMaterial
+ * %%
+ * Copyright (C) 2015 - 2020 GwtMaterialDesign
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package gwt.material.design.client.base;
+
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
+import com.google.gwt.safehtml.shared.SafeHtmlUtils;
+
+/**
+ * HTML-escapes its argument and returns the result wrapped as a SafeHtml.
+ */
+public class DefaultHtmlSanitizer implements HtmlSanitizer {
+
+    @Override
+    public SafeHtml sanitize(String html) {
+        return SafeHtmlUtils.fromString(html);
+    }
+}

gwt-material/src/main/java/gwt/material/design/client/base/HasSafeText.java

@@ -0,0 +1,32 @@
+/*
+ * #%L
+ * GwtMaterial
+ * %%
+ * Copyright (C) 2015 - 2020 GwtMaterialDesign
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package gwt.material.design.client.base;
+
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
+
+public interface HasSafeText {
+
+    void setHtml(SafeHtml html);
+
+    void setSanitizer(HtmlSanitizer sanitizer);
+
+    HtmlSanitizer getSanitizer();
+}

gwt-material/src/main/java/gwt/material/design/client/base/TextWidget.java

@@ -20,13 +20,15 @@
 package gwt.material.design.client.base;
 
 import com.google.gwt.dom.client.Element;
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.user.client.DOM;
 import com.google.gwt.user.client.ui.HasText;
 import gwt.material.design.client.base.mixin.TextMixin;
 
-public class TextWidget extends MaterialWidget implements HasText {
+public class TextWidget extends MaterialWidget implements HasSafeText, HasText {
 
-    private final TextMixin<TextWidget> textMixin = new TextMixin<>(this);
+    private TextMixin<TextWidget> textMixin;
 
     public TextWidget() {
         super(DOM.createDiv());
@@ -42,11 +44,33 @@ public TextWidget(Element element, String... initialClass) {
 
     @Override
     public String getText() {
-        return textMixin.getText();
+        return getTextMixin().getText();
     }
 
     @Override
     public void setText(String text) {
-        textMixin.setText(text);
+        getTextMixin().setText(text);
     }
-}
+
+    @Override
+    public void setHtml(SafeHtml html) {
+        getTextMixin().setHtml(html);
+    }
+
+    @Override
+    public void setSanitizer(HtmlSanitizer sanitizer) {
+        getTextMixin().setSanitizer(sanitizer);
+    }
+
+    @Override
+    public HtmlSanitizer getSanitizer() {
+        return getTextMixin().getSanitizer();
+    }
+
+    public TextMixin<TextWidget> getTextMixin() {
+        if (textMixin == null) {
+            textMixin = new TextMixin<>(this);
+        }
+        return textMixin;
+    }
+}

gwt-material/src/main/java/gwt/material/design/client/base/mixin/AbstractMixin.java

@@ -26,7 +26,7 @@
 /**
  * @author Sven Jacobs
  */
-abstract class AbstractMixin<T extends UIObject> {
+public abstract class AbstractMixin<T extends UIObject> {
 
     T uiObject;
 
@@ -37,4 +37,8 @@ abstract class AbstractMixin<T extends UIObject> {
     public void setUiObject(T uiObject) {
         this.uiObject = uiObject;
     }
+
+    public T getUiObject() {
+        return uiObject;
+    }
 }

gwt-material/src/main/java/gwt/material/design/client/base/mixin/HTMLMixin.java

@@ -23,13 +23,14 @@
 import com.google.gwt.dom.client.Element;
 import com.google.gwt.user.client.ui.HasHTML;
 import com.google.gwt.user.client.ui.UIObject;
+import gwt.material.design.client.base.HasSafeText;
 
 import static gwt.material.design.jquery.client.api.JQuery.$;
 
 /**
  * @author Grant Slender
  */
-public class HTMLMixin<T extends UIObject> extends TextMixin<T> implements HasHTML {
+public class HTMLMixin<T extends UIObject & HasSafeText> extends TextMixin<T> implements HasHTML {
 
     public HTMLMixin(final T uiObject) {
         super(uiObject);

gwt-material/src/main/java/gwt/material/design/client/base/mixin/TextMixin.java

@@ -20,23 +20,68 @@
  * #L%
  */
 
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.safehtml.shared.SafeHtmlUtils;
 import com.google.gwt.user.client.ui.UIObject;
+import gwt.material.design.client.base.DefaultHtmlSanitizer;
+import gwt.material.design.client.base.HasSafeText;
 
 /**
+ * @author Mark Kevin
  * @author Ben Dol
  */
-public class TextMixin<T extends UIObject> extends AbstractMixin<T> {
+public class TextMixin<T extends UIObject & HasSafeText> extends AbstractMixin<T> implements HasSafeText {
+
+    protected static HtmlSanitizer DEFAULT_SANITIZER = new DefaultHtmlSanitizer();
+    protected HtmlSanitizer _sanitizer;
+    protected SafeHtml safeHtml;
 
     public TextMixin(final T uiObject) {
         super(uiObject);
     }
 
     public String getText() {
-        return uiObject.getElement().getInnerText();
+        return safeHtml != null ? uiObject.getElement().getInnerText() : null;
     }
 
     public void setText(final String text) {
-        uiObject.getElement().setInnerText(text);
+        setHtml(toSafeHtml(text));
+    }
+
+    protected SafeHtml toSafeHtml(String text) {
+        SafeHtml safeHtml = null;
+        if (text != null) {
+            if (_sanitizer == null) {
+                safeHtml = DEFAULT_SANITIZER.sanitize(text);
+            } else {
+                safeHtml = _sanitizer.sanitize(text);
+            }
+        }
+        return safeHtml;
+    }
+
+    @Override
+    public void setHtml(SafeHtml safeHtml) {
+        this.safeHtml = safeHtml;
+        uiObject.getElement().setInnerSafeHtml(safeHtml != null ? safeHtml : SafeHtmlUtils.fromString(""));
+    }
+
+    public static void setDefaultSanitizer(HtmlSanitizer defaultSanitizer) {
+        DEFAULT_SANITIZER = defaultSanitizer;
+    }
+
+    public static HtmlSanitizer getDefaultSanitizer() {
+        return DEFAULT_SANITIZER;
+    }
+
+    @Override
+    public void setSanitizer(HtmlSanitizer sanitizer) {
+        _sanitizer = sanitizer;
+    }
+
+    @Override
+    public HtmlSanitizer getSanitizer() {
+        return _sanitizer;
     }
 }

gwt-material/src/main/java/gwt/material/design/client/ui/MaterialBadge.java

@@ -20,7 +20,6 @@
 package gwt.material.design.client.ui;
 
 import com.google.gwt.dom.client.Document;
-import com.google.gwt.safehtml.shared.SafeHtmlUtils;
 import gwt.material.design.client.constants.Color;
 import gwt.material.design.client.constants.CssName;
 import gwt.material.design.client.ui.html.Span;
@@ -81,14 +80,4 @@ public MaterialBadge(String text, Color textColor, Color bgColor) {
         setTextColor(textColor);
         setBackgroundColor(bgColor);
     }
-
-    @Override
-    public String getText() {
-        return SafeHtmlUtils.fromString(getElement().getInnerText()).asString();
-    }
-
-    @Override
-    public void setText(String text) {
-        getElement().setInnerSafeHtml(SafeHtmlUtils.fromString(text));
-    }
 }

gwt-material/src/main/java/gwt/material/design/client/ui/MaterialCardTitle.java

@@ -21,8 +21,11 @@
 
 import com.google.gwt.dom.client.Document;
 import com.google.gwt.dom.client.Style;
+import com.google.gwt.safehtml.shared.HtmlSanitizer;
+import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.user.client.ui.HasText;
 import gwt.material.design.client.base.HasIcon;
+import gwt.material.design.client.base.HasSafeText;
 import gwt.material.design.client.base.MaterialWidget;
 import gwt.material.design.client.constants.*;
 import gwt.material.design.client.ui.html.Span;
@@ -38,7 +41,7 @@
  * @see <a href="https://material.io/guidelines/components/cards.html">Material Design Specification</a>
  */
 //@formatter:on
-public class MaterialCardTitle extends MaterialWidget implements HasIcon, HasText {
+public class MaterialCardTitle extends MaterialWidget implements HasIcon, HasSafeText, HasText {
 
     private MaterialIcon icon = new MaterialIcon();
     private Span titleLabel = new Span();
@@ -56,11 +59,26 @@ public String getText() {
     public void setText(String text) {
         titleLabel.setText(text);
 
-        if(!titleLabel.isAttached()) {
+        if (!titleLabel.isAttached()) {
             add(titleLabel);
         }
     }
 
+    @Override
+    public void setHtml(SafeHtml html) {
+        titleLabel.setHtml(html);
+    }
+
+    @Override
+    public void setSanitizer(HtmlSanitizer sanitizer) {
+        titleLabel.setSanitizer(sanitizer);
+    }
+
+    @Override
+    public HtmlSanitizer getSanitizer() {
+        return titleLabel.getSanitizer();
+    }
+
     @Override
     public MaterialIcon getIcon() {
         return icon;