diff options
author | Lukas Reschke <lukas@owncloud.com> | 2016-04-18 17:38:14 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-04-18 17:43:20 +0200 |
commit | ff1150bb4db3772895be8e4c7291ebb2ff3314f9 (patch) | |
tree | 293d767d9d8ce2e7cdaf7e60b3c79f790e1116df | |
parent | 14fdafaede311ccebcb35729d4643554580d4071 (diff) | |
download | nextcloud-server-ff1150bb4db3772895be8e4c7291ebb2ff3314f9.tar.gz nextcloud-server-ff1150bb4db3772895be8e4c7291ebb2ff3314f9.zip |
Properly escape URL
Fixes https://github.com/owncloud/core/issues/23499
-rw-r--r-- | settings/js/users/deleteHandler.js | 2 | ||||
-rw-r--r-- | settings/tests/js/users/deleteHandlerSpec.js | 14 |
2 files changed, 15 insertions, 1 deletions
diff --git a/settings/js/users/deleteHandler.js b/settings/js/users/deleteHandler.js index b684aff1889..a66e8b07a72 100644 --- a/settings/js/users/deleteHandler.js +++ b/settings/js/users/deleteHandler.js @@ -191,7 +191,7 @@ DeleteHandler.prototype.deleteEntry = function(keepNotification) { payload[dh.ajaxParamID] = dh.oidToDelete; return $.ajax({ type: 'DELETE', - url: OC.generateUrl(dh.ajaxEndpoint+'/'+this.oidToDelete), + url: OC.generateUrl(dh.ajaxEndpoint+'/{oid}',{oid: this.oidToDelete}), // FIXME: do not use synchronous ajax calls as they block the browser ! async: false, success: function (result) { diff --git a/settings/tests/js/users/deleteHandlerSpec.js b/settings/tests/js/users/deleteHandlerSpec.js index 371eae5941d..3e7f768e519 100644 --- a/settings/tests/js/users/deleteHandlerSpec.js +++ b/settings/tests/js/users/deleteHandlerSpec.js @@ -132,6 +132,20 @@ describe('DeleteHandler tests', function() { var request = fakeServer.requests[0]; expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid'); }); + it('deletes when deleteEntry is called and escapes', function() { + fakeServer.respondWith(/\/index\.php\/dummyendpoint.php\/some_uid/, [ + 200, + { 'Content-Type': 'application/json' }, + JSON.stringify({status: 'success'}) + ]); + var handler = init(markCallback, removeCallback, undoCallback); + handler.mark('some_uid<>/"..\\'); + + handler.deleteEntry(); + expect(fakeServer.requests.length).toEqual(1); + var request = fakeServer.requests[0]; + expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid%3C%3E%2F%22..%5C'); + }); it('cancels deletion when undo is clicked', function() { var handler = init(markCallback, removeCallback, undoCallback); handler.setNotification(OC.Notification, 'dataid', 'removed %oid entry <span class="undo">Undo</span>', undoCallback); |