Changeset 32772 for main/trunk/greenstone3/web/interfaces/default/js/document_scripts.js

Timestamp:

2019-02-13T17:46:00+13:00 (5 years ago)

Author:

ak19

Message:

Handling the whole set of reserved and unsafe characters listed at ​https://perishablepress.com/stop-using-unsafe-characters-in-urls/

File:

• main/trunk/greenstone3/web/interfaces/default/js/document_scripts.js (modified) (6 diffs)

main/trunk/greenstone3/web/interfaces/default/js/document_scripts.js

@@ -25 +25 @@
 ********************/
 
-function makeURLSafe(url) {
-
-    url =  url.replace(/ /g, "%20").replace(/\//g, "%2F").replace(/\:/g, "%3A").replace(/=/g, "%3D").replace(/\[/g,"%5B").replace(/\]/g,"%5D");
-    return url;
+/*
+  Tomcat 8 appears to be stricter in requiring unsafe and reserved chars
+  in URLs to be escaped with URL encoding
+  See section "Character Encoding Chart of
+  https://perishablepress.com/stop-using-unsafe-characters-in-urls/
+  Reserved chars:
+     ; / ? : @ = &
+     ----->  %3B %2F %3F %3A %40 %3D %26
+  Unsafe chars:
+     " < > # % { } | \ ^ ~ [ ] ` and SPACE/BLANK
+     ----> %22 %3C %3E %23 %25 %7B %7D %7C %5C %5E ~ %5B %5D %60 and %20
+  But the above conflicts with the reserved vs unreserved listings at
+     https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
+  Possibly more info: https://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid
+
+*/
+/* URL encode RESERVED characters in a non-URL context of a URL, such as the inline template (ilt) parameter value of a URL */
+function makeSafeForURL(url_part) {
+    // https://stackoverflow.com/questions/7368407/javascript-replace-a-set-of-characters-with-another-one
+    var reserved_mappings = {
+    ';': '%3B',
+    '/': '%2F',
+    '?': '%3F',
+    ':': '%3A',
+    '@': '%40',
+    '=': '%3D',
+    '&': '%26'
+    };
+    
+    encode_percentages = 1; // to force the URL-encoding of any % in url_part, do this for inline-templates that haven't ever been encoded
+    url_part = makeURLSafe(url_part, encode_percentages);
+
+    var url_encoded = url_part.replace(/[\;\/\?\:\@\=\&]/g, function(s) {
+    return reserved_mappings[s];
+    });
+    
+    //var url_encoded = url_part.replace(/;/g, "%3B").replace(/\//g, "%2F").replace(/\?/g, "%3F").replace(/\:/g, "%3A").replace(/\@/g, "%40").replace(/=/g, "%3D").replace(/\&/g,"%26");
+    return url_encoded;
+}
+
+/* 
+   URL encode UNSAFE characters to make URL valid 
+   Set encode_percentages to 1 (true) if the url isn't already partly URL encoded
+*/
+function makeURLSafe(url, encode_percentages) {
+    // https://stackoverflow.com/questions/12797118/how-can-i-declare-optional-function-parameters-in-javascript
+    encode_percentages = encode_percentages || 0;
+    
+    var unsafe_mappings = {
+    ' ': '%20',
+    '"': '%22',
+    '<': '%3C',
+    '>': '%3E',
+    '#': '%23',
+    '{': '%7B',
+    '}': '%7D',
+    '|': '%7C',
+    '\\': '%5C',
+    '^': '%5E',
+    //'~': '~', // unreserved char (but is it then unsafe?), as per https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
+    '[': '%5B',
+    ']': '%5D',
+    '`': '%60'
+    };    
+
+    var url_encoded = url;
+    if(encode_percentages) {
+    // https://stackoverflow.com/questions/1168807/how-can-i-add-a-key-value-pair-to-a-javascript-object
+    //unsafe_mappings["%"] = "%25";
+    url_encoded = url_encoded.replace(/\%/g,"%25"); // encode % first
+
+    }
+    url_encoded = url_encoded.replace(/[\ \"\<\>\#\{\}\|\\\^\[\]\`]/g, function(s) {
+    return unsafe_mappings[s];
+    });
+    
+
+    //var url_encoded = url;
+    ///if(encode_percentages) { url_encoded = url_encoded.replace(/\%/g,"%25"); } // encode % first
+    //url_encoded = url_encoded.replace(/ /g, "%20").replace(/\"/g,"%22").replace(/\</g,"%3C").replace(/\>/g,"%3E").replace(/\#/g,"%23").replace(/\{/g,"%7B").replace(/\}/g,"%7D");
+    //url_encoded = url_encoded.replace(/\|/g,"%7C").replace(/\\/g,"%5C").replace(/\^/g,"%5E").replace(/\[/g,"%5B").replace(/\]/g,"%5D").replace(/\`/g,"%60");
+    
+    return url_encoded;
 }
 
@@ -47 +126 @@
     template += '</xsl:template>';
     
-    template = makeURLSafe(template);
+    template = makeSafeForURL(template);
     
     var hlCheckBox = document.getElementById("highlightOption");
@@ -117 +196 @@
     template += '</xsl:template>';
 
-    template = makeURLSafe(template);
+    template = makeSafeForURL(template);
     var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + sectionID + "?ilt=" + template;
 
@@ -686 +765 @@
     ilt += '</xsl:template>';
     
-    ilt = makeURLSafe(ilt);
+    ilt = makeSafeForURL(ilt);
 
 
@@ -951 +1030 @@
         template +=   '</html>';
         template += '</xsl:template>';
-    template = makeURLSafe(template);
+    template = makeSafeForURL(template);
         var url = href + "?noText=1&ilt=" + template;
 
@@ -1355 +1434 @@
     template +=   ']</images>';
     template += '</xsl:template>';
-    template = makeURLSafe(template);
+    template = makeSafeForURL(template);
     var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + gs.cgiParams.d + "?ed=1&ilt=" + template;