- Timestamp:
- 2019-02-13T20:23:04+13:00 (5 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/web/interfaces/default/js/document_scripts.js
r32774 r32775 24 24 * EXPANSION SCRIPTS * 25 25 ********************/ 26 27 /* 28 Given a string consisting of a single character, returns the %hex (%XX) 29 https://www.w3resource.com/javascript-exercises/javascript-string-exercise-27.php 30 https://stackoverflow.com/questions/40100096/what-is-equivalent-php-chr-and-ord-functions-in-javascript 31 https://www.w3resource.com/javascript-exercises/javascript-string-exercise-27.php 32 */ 33 function urlEncodeChar(single_char_string) { 34 /*var hex = Number(single_char_string.charCodeAt(0)).toString(16); 35 var str = "" + hex; 36 str = "%" + str.toUpperCase(); 37 return str; 38 */ 39 40 var hex = "%" + Number(single_char_string.charCodeAt(0)).toString(16).toUpperCase(); 41 return hex; 42 } 26 43 27 44 /* … … 40 57 Possibly more info: https://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid 41 58 59 Javascript already provides functions encodeURI() and encodeURIComponent(), see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI 60 However, the set of chars they deal with only partially overlap with the set of chars that need encoding as per the RFC3986 for URIs and RFC1738 for URLs discussed at 61 https://perishablepress.com/stop-using-unsafe-characters-in-urls/ 62 We want to handle all the characters listed as unsafe and reserved at https://perishablepress.com/stop-using-unsafe-characters-in-urls/ 63 so we define and use our own conceptually equivalent methods for both existing JavaScript methods: 64 - makeSafeURL() for Javascript's encodeURI() to make sure all unsafe characters in URLs are escaped by being URL encoded 65 - and makeSafeURLComponent() for JavaScript's encodeURIComponent to additionally make sure all reserved characters in a URL portion are escaped by being URL encoded too 66 67 Function makeSafeURL() is passed a string that represents a URL and therefore only deals with characters that are unsafe in a URL and which therefore require escaping. 68 Function makeSafeURLComponent() deals with portions of a URL that when decoded need not represent a URL at all, for example data like inline templates passed in as a 69 URL query string's parameter values. As such makeSafeURLComponent() should escape both unsafe URL characters and characters that are reserved in URLs since reserved 70 characters in the query string part (as query param values representing data) may take on a different meaning from their reserved meaning in a URL context. 42 71 */ 43 /* URL encode RESERVED characters in a non-URL context of a URL, such as the inline template (ilt) parameter value of a URL */ 44 function makeSafeForURL(url_part, encode_percentages) { 72 73 /* URL encodes both 74 - UNSAFE characters to make URL safe, by calling makeSafeURL() 75 - and RESERVED characters (characters that have reserved meanings within a URL) to make URL valid, since the url component parameter could use reserved characters 76 in a non-URL sense. For example, the inline template (ilt) parameter value of a URL could use '=' and '&' signs where these would have XSLT rather than URL meanings. 77 78 See end of https://www.w3schools.com/jsref/jsref_replace.asp to use a callback passing each captured element of a regex in str.replace() 79 */ 80 function makeURLComponentSafe(url_part, encode_percentages) { 45 81 // https://stackoverflow.com/questions/12797118/how-can-i-declare-optional-function-parameters-in-javascript 46 82 encode_percentages = encode_percentages || 1; // this method forces the URL-encoding of any % in url_part, e.g. do this for inline-templates that haven't ever been encoded 47 83 48 84 var url_encoded = makeURLSafe(url_part, encode_percentages); 49 url_encoded = url_encoded.replace(/;/g, "%3B").replace(/\//g, "%2F").replace(/\?/g, "%3F").replace(/\:/g, "%3A").replace(/\@/g, "%40").replace(/=/g, "%3D").replace(/\&/g,"%26"); 85 //return url_encoded.replace(/;/g, "%3B").replace(/\//g, "%2F").replace(/\?/g, "%3F").replace(/\:/g, "%3A").replace(/\@/g, "%40").replace(/=/g, "%3D").replace(/\&/g,"%26"); 86 url_encoded = url_encoded.replace(/[\;\/\?\:\@\=\&]/g, function(s) { 87 return urlEncodeChar(s); 88 }); 50 89 return url_encoded; 51 90 } 52 91 53 92 /* 54 URL encode UNSAFE characters to make URL valid55 Set encode_percentages to 1 (true) if the url isn't already partly URL encoded93 URL encode UNSAFE characters to make URL passed in safe. 94 Set encode_percentages to 1 (true) if you don't want % signs encoded: you'd do so if the url is already partly URL encoded. 56 95 */ 57 96 function makeURLSafe(url, encode_percentages) { … … 60 99 var url_encoded = url; 61 100 if(encode_percentages) { url_encoded = url_encoded.replace(/\%/g,"%25"); } // encode % first 62 url_encoded = url_encoded.replace(/ /g, "%20").replace(/\"/g,"%22").replace(/\</g,"%3C").replace(/\>/g,"%3E").replace(/\#/g,"%23").replace(/\{/g,"%7B").replace(/\}/g,"%7D");63 url_encoded = url_encoded.replace(/\|/g,"%7C").replace(/\\/g,"%5C").replace(/\^/g,"%5E").replace(/\[/g,"%5B").replace(/\]/g,"%5D").replace(/\`/g,"%60");101 //url_encoded = url_encoded.replace(/ /g, "%20").replace(/\"/g,"%22").replace(/\</g,"%3C").replace(/\>/g,"%3E").replace(/\#/g,"%23").replace(/\{/g,"%7B").replace(/\}/g,"%7D"); 102 //url_encoded = url_encoded.replace(/\|/g,"%7C").replace(/\\/g,"%5C").replace(/\^/g,"%5E").replace(/\[/g,"%5B").replace(/\]/g,"%5D").replace(/\`/g,"%60"); 64 103 // Should we handle ~, but then what is its URL encoded value? Because https://meyerweb.com/eric/tools/dencoder/ URLencodes ~ to ~. 104 //return url_encoded; 105 url_encoded = url_encoded.replace(/[\ \"\<\>\#\{\}\|\\^\~\[\]\`]/g, function(s) { 106 return urlEncodeChar(s); 107 }); 65 108 return url_encoded; 66 109 } … … 82 125 template += '</xsl:template>'; 83 126 84 template = make SafeForURL(template);127 template = makeURLComponentSafe(template); 85 128 86 129 var hlCheckBox = document.getElementById("highlightOption"); … … 152 195 template += '</xsl:template>'; 153 196 154 template = make SafeForURL(template);197 template = makeURLComponentSafe(template); 155 198 var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + sectionID + "?ilt=" + template; 156 199 … … 721 764 ilt += '</xsl:template>'; 722 765 723 ilt = make SafeForURL(ilt);766 ilt = makeURLComponentSafe(ilt); 724 767 725 768 … … 986 1029 template += '</html>'; 987 1030 template += '</xsl:template>'; 988 template = make SafeForURL(template);1031 template = makeURLComponentSafe(template); 989 1032 var url = href + "?noText=1&ilt=" + template; 990 1033 … … 1390 1433 template += ']</images>'; 1391 1434 template += '</xsl:template>'; 1392 template = make SafeForURL(template);1435 template = makeURLComponentSafe(template); 1393 1436 var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + gs.cgiParams.d + "?ed=1&ilt=" + template; 1394 1437
Note:
See TracChangeset
for help on using the changeset viewer.