public class UrlUtil extends Object
For internal use only. May be renamed or removed in a future release.
| Modifier and Type | Method and Description |
|---|---|
static String |
encodeURI(String uri)
Encodes a full URI.
|
static String |
encodeURIComponent(String path)
Encodes a path segment of a URI.
|
static String |
getUnsafeUrlMessage(String type,
String url,
String unsafeMethod)
Builds the message for the
IllegalArgumentException that a
validating URL setter throws when given a URL whose scheme is not
considered safe. |
static boolean |
isExternal(String url)
checks if the given url is an external URL (e.g.
|
static boolean |
isSafeUrl(String url)
Checks whether the scheme of the given URL is considered safe by the
current deployment configuration.
|
public static boolean isExternal(String url)
url - is the url to be checked.public static String encodeURI(String uri)
Corresponds to encodeURI in JavaScript https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
The path can contain / and other special URL characters as these
will not be encoded. See encodeURIComponent(String) if you want
to encode all special characters.
The following characters are not escaped: A-Za-z0-9;,/?:@&=+$-_.!~*'()#
uri - the uri to encodepublic static String encodeURIComponent(String path)
Corresponds to encodeURIComponent in JavaScript https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
The following characters are not escaped: A-Za-z0-9-_.!~*'()
path - the path to encodepublic static boolean isSafeUrl(String url)
The set of safe schemes is read from the current VaadinService's
DeploymentConfiguration.getUrlSafeSchemes(), falling back to
Set.of(Constants.URL_SAFE_SCHEMES_WILDCARD), which bypasses the
validation and allows all URLs when no VaadinService is
available. Relative URLs (without a scheme) are always considered safe,
whereas URLs containing control characters are rejected as they can be
used to obfuscate the scheme. A null URL is considered unsafe.
url - the URL to check, may be nulltrue if the URL is safe, false otherwisepublic static String getUnsafeUrlMessage(String type, String url, String unsafeMethod)
IllegalArgumentException that a
validating URL setter throws when given a URL whose scheme is not
considered safe. The message points to both the
InitParameters.URL_SAFE_SCHEMES configuration property and the
setter that bypasses validation.type - the kind of URL being set, for example "href",
"src" or "path"url - the rejected URLunsafeMethod - the signature of the method that bypasses validation, for
example "setUnsafeHref(String)"Copyright © 2000–2026 Vaadin Ltd. All rights reserved.