[LON-CAPA-cvs] cvs: loncom /interface lonindexer.pm
foxr
lon-capa-cvs@mail.lon-capa.org
Wed, 20 Oct 2004 10:51:50 -0000
foxr Wed Oct 20 06:51:50 2004 EDT
Modified files:
/loncom/interface lonindexer.pm
Log:
Defect 3560 fix and probably a few other defects that
have not yet been reported as I got rather global with
this fix within this file.
Escape strings going into javascript sequences so that
- \ -> \\
- ' -> \'
This currently is intended to handle cases where javascript will be handed
'$variable'.
Index: loncom/interface/lonindexer.pm
diff -u loncom/interface/lonindexer.pm:1.124 loncom/interface/lonindexer.pm:1.125
--- loncom/interface/lonindexer.pm:1.124 Sat Sep 25 13:58:01 2004
+++ loncom/interface/lonindexer.pm Wed Oct 20 06:51:50 2004
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Directory Indexer
#
-# $Id: lonindexer.pm,v 1.124 2004/09/25 17:58:01 matthew Exp $
+# $Id: lonindexer.pm,v 1.125 2004/10/20 10:51:50 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -73,6 +73,33 @@
my @Omit = ();
+
+#
+# Escapes strings that may have embedded 's that will be put into
+# javascript strings as 'strings'.
+# The assumptions are:
+# There has been no effort to escape ' with \'
+# Any \'s in the string are intended to be there as part of the URL
+# and must also be escaped.
+# Parameters:
+# input - The string to escape.
+# Returns:
+# The escaped string (' replaced by \' and \ replaced by \\).
+#
+sub javascript_escape {
+ my ($input) = @_;
+
+ # I imagine a regexp wizard could combine the two expressions below.
+ # If you do you might want to comment the result.
+
+ $input =~ s/\\/\\\\/g; # Escape the /'s..(must be first)>
+ $input =~ s/\'/\\\'/g; # Esacpe the 's....
+
+ return $input;
+}
+
+
+
# ----------------------------- Handling routine called via Apache and mod_perl
sub handler {
my $r = shift;
@@ -147,7 +174,9 @@
<html>
<script type="text/javascript">
function load() {
- window.opener.document.forms["$ENV{'form.form'}"].elements["$ENV{'form.element'}"].value='$ENV{'form.acts'}';
+ window.opener.document.forms["$ENV{'form.form'}"]
+ .elements["$ENV{'form.element'}"]
+ .value='$ENV{'form.acts'}';
$extra
window.close();
}
@@ -842,7 +871,8 @@
$diropen.'.gif"');
$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
"\n");
- $r->print ('<a href="javascript:gothere(\''.$filecom[0].
+ my $quotable_filecom = &javascript_escape($filecom[0]);
+ $r->print ('<a href="javascript:gothere(\''.$quotable_filecom.
'\')"><img src="'.$iconpath.'server.gif"');
$r->print (' border="0" /></a>'."\n");
$r->print (&mt("Domain")." - $listname ");
@@ -869,7 +899,9 @@
'.gif"');
$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
"\n");
- $r->print ('<a href="javascript:gothere(\''.$curdir.'\')"><img src='.
+ my $quotable_curdir = &javascript_escape($curdir);
+ $r->print ('<a href="javascript:gothere(\''.$quotable_curdir
+ .'\')"><img src='.
$iconpath.'quill.gif border="0" name="'.$msg.
'" height="22" /></a>');
my $domain=(split(m|/|,$startdir))[2];
@@ -898,8 +930,9 @@
$r->print("<tr valign='$valign' bgcolor=$fileclr><td nowrap='1' align='top'>");
if ($ENV{'form.catalogmode'} eq 'interactive') {
+ my $quotable_filelink = &javascript_escape($filelink);
$r->print("<a href=\"javascript:select_data(\'",
- $filelink,"')\">");
+ $quotable_filelink,"')\">");
$r->print("<img src='",$iconpath,"select.gif' border='0' /></a>".
"\n");
$r->print("</td><td nowrap>");
@@ -958,11 +991,14 @@
if ($filelink=~/\.(page|sequence)$/) {
$r->print('</form>');
}
- $r->print (" <a href=\"javascript:openWindow('".$filelink.
+ my $quotable_filelink = &javascript_escape($filelink);
+
+
+ $r->print (" <a href=\"javascript:openWindow('".$quotable_filelink.
"', 'previewfile', '450', '500', 'no', 'yes','yes')\";".
" TARGET=_self>$listname</a> ");
- $r->print (" (<a href=\"javascript:openWindow('".$filelink.
+ $r->print (" (<a href=\"javascript:openWindow('".$quotable_filelink.
".meta', 'metadatafile', '500', '550', 'no', 'yes','no')\"; ".
"TARGET=_self>metadata</a>) ");
$r->print("</td>\n");
@@ -1022,7 +1058,9 @@
my $source = &Apache::lonnet::metadata($filelink,'sourceavail');
if($source eq 'open') {
my $sourcelink = &Apache::lonsource::make_link($filelink,$listname);
- $r->print('<td>'."<a href=\"javascript:openWindow('".$sourcelink.
+ my $quotable_sourcelink = &javascript_escape($sourcelink);
+ $r->print('<td>'."<a href=\"javascript:openWindow('"
+ .$quotable_sourcelink.
"', 'previewsource', '700', '700', 'no', 'yes','yes')\";".
" TARGET=_self>Yes</a> "."</td>\n");
} else { #A cuddled else. :P
@@ -1099,7 +1137,9 @@
'folder_pointer_'.$diropen.'.gif"');
$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
"\n");
- $r->print ('<a href="javascript:gothere(\''.$curdir.'\')"><img src="'.
+ my $quotable_curdir = &javascript_escape($curdir);
+ $r->print ('<a href="javascript:gothere(\''
+ .$quotable_curdir.'\')"><img src="'.
$iconpath.'folder_'.$diropen.'.gif" border="0" /></a>'.
"\n");
$r->print ("$listname</td>\n");