From 27c1409be537dcc066096281820546323d8667db Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 16 Feb 2015 20:07:45 +0100 Subject: Encode parameters in `OC.generateUrl` by itself This function is often used in a wrong and potential dangerous way... Thus we should escape the URL per default and offer developers to disable the automatic escaping via an option parameter if they really want that behaviour. Might break some things, however, those things are then easy to fix and we really have a ton of bugs caused by this... Fixes https://github.com/owncloud/core/issues/14228 --- core/js/js.js | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'core/js/js.js') diff --git a/core/js/js.js b/core/js/js.js index 7ff010eca0a..a43df4014df 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -116,17 +116,30 @@ var OC={ /** * Generates the absolute url for the given relative url, which can contain parameters. + * Parameters will be URL encoded automatically. * @param {string} url * @param [params] params + * @param [options] options + * @param {bool} [options.escape=true] enable/disable auto escape of placeholders (by default enabled) * @return {string} Absolute URL for the given relative URL */ - generateUrl: function(url, params) { + generateUrl: function(url, params, options) { + var defaultOptions = { + escape: true + }, + allOptions = options || {}; + _.defaults(allOptions, defaultOptions); + var _build = function (text, vars) { var vars = vars || []; return text.replace(/{([^{}]*)}/g, function (a, b) { - var r = vars[b]; - return typeof r === 'string' || typeof r === 'number' ? r : a; + var r = (vars[b]); + if(allOptions.escape) { + return (typeof r === 'string' || typeof r === 'number') ? encodeURIComponent(r) : encodeURIComponent(a); + } else { + return (typeof r === 'string' || typeof r === 'number') ? r : a; + } } ); }; -- cgit v1.2.3