diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-16 20:07:45 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-17 14:41:06 +0100 |
| commit | 27c1409be537dcc066096281820546323d8667db (patch) | |
| tree | bb93abcf4184996073b776851550a94c7968f57c /core/js/tests | |
| parent | 76c511de92f1b4dc6dcc31ac5ae15ffade29bb18 (diff) | |
| download | nextcloud-server-27c1409be537dcc066096281820546323d8667db.tar.gz nextcloud-server-27c1409be537dcc066096281820546323d8667db.zip | |
Encode parameters in `OC.generateUrl` by itself
This function is often used in a wrong and potential dangerous way... Thus we should escape the URL per default and offer developers to disable the automatic escaping via an option parameter if they really want that behaviour.
Might break some things, however, those things are then easy to fix and we really have a ton of bugs caused by this...
Fixes https://github.com/owncloud/core/issues/14228
Diffstat (limited to 'core/js/tests')
| -rw-r--r-- | core/js/tests/specs/coreSpec.js | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js index 159c3743662..7d06ac2e7df 100644 --- a/core/js/tests/specs/coreSpec.js +++ b/core/js/tests/specs/coreSpec.js @@ -393,11 +393,20 @@ describe('Core base tests', function() { expect(OC.generateUrl('heartbeat')).toEqual(OC.webroot + '/index.php/heartbeat'); expect(OC.generateUrl('/heartbeat')).toEqual(OC.webroot + '/index.php/heartbeat'); }); - it('substitutes parameters', function() { - expect(OC.generateUrl('apps/files/download{file}', {file: '/Welcome.txt'})).toEqual(OC.webroot + '/index.php/apps/files/download/Welcome.txt'); + it('substitutes parameters which are escaped by default', function() { + expect(OC.generateUrl('apps/files/download/{file}', {file: '<">ImAnUnescapedString/!'})).toEqual(OC.webroot + '/index.php/apps/files/download/%3C%22%3EImAnUnescapedString%2F!'); + }); + it('substitutes parameters which can also be unescaped via option flag', function() { + expect(OC.generateUrl('apps/files/download/{file}', {file: 'subfolder/Welcome.txt'}, {escape: false})).toEqual(OC.webroot + '/index.php/apps/files/download/subfolder/Welcome.txt'); + }); + it('substitutes multiple parameters which are escaped by default', function() { + expect(OC.generateUrl('apps/files/download/{file}/{id}', {file: '<">ImAnUnescapedString/!', id: 5})).toEqual(OC.webroot + '/index.php/apps/files/download/%3C%22%3EImAnUnescapedString%2F!/5'); + }); + it('substitutes multiple parameters which can also be unescaped via option flag', function() { + expect(OC.generateUrl('apps/files/download/{file}/{id}', {file: 'subfolder/Welcome.txt', id: 5}, {escape: false})).toEqual(OC.webroot + '/index.php/apps/files/download/subfolder/Welcome.txt/5'); }); it('doesnt error out with no params provided', function () { - expect(OC.generateUrl('apps/files/download{file}')).toEqual(OC.webroot + '/index.php/apps/files/download{file}'); + expect(OC.generateUrl('apps/files/download{file}')).toEqual(OC.webroot + '/index.php/apps/files/download%7Bfile%7D'); }); }); describe('Main menu mobile toggle', function() { |