[LON-CAPA-cvs] cvs: loncom /interface lonindexer.pm

foxr lon-capa-cvs@mail.lon-capa.org
Wed, 20 Oct 2004 10:51:50 -0000


foxr		Wed Oct 20 06:51:50 2004 EDT

  Modified files:              
    /loncom/interface	lonindexer.pm 
  Log:
  Defect 3560 fix and probably a few other defects that
  have not yet been reported as I got rather global with
  this fix within this file.
  
  Escape strings going into javascript sequences so that
  - \  -> \\
  - '  -> \'
  
  This currently is intended to handle cases where javascript will be handed
  '$variable'.
  
  
  
  
Index: loncom/interface/lonindexer.pm
diff -u loncom/interface/lonindexer.pm:1.124 loncom/interface/lonindexer.pm:1.125
--- loncom/interface/lonindexer.pm:1.124	Sat Sep 25 13:58:01 2004
+++ loncom/interface/lonindexer.pm	Wed Oct 20 06:51:50 2004
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Directory Indexer
 #
-# $Id: lonindexer.pm,v 1.124 2004/09/25 17:58:01 matthew Exp $
+# $Id: lonindexer.pm,v 1.125 2004/10/20 10:51:50 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -73,6 +73,33 @@
 my @Omit = ();
 
 
+
+#
+#    Escapes strings that may have embedded 's that will be put into
+#    javascript strings as 'strings'.
+#    The assumptions are:
+#       There has been no effort to escape ' with \'
+#       Any \'s in the string are intended to be there as part of the URL
+#        and must also be escaped.
+# Parameters:
+#     input     - The string to escape.
+# Returns:
+#     The escaped string (' replaced by \' and \ replaced by \\).
+#
+sub javascript_escape {
+    my ($input) = @_;
+
+    #  I imagine a regexp wizard could combine the two expressions below.
+    #  If you do you might want to comment the result.
+
+    $input =~ s/\\/\\\\/g;	# Escape the /'s..(must be first)>
+    $input =~ s/\'/\\\'/g;	# Esacpe the 's....
+
+    return $input;
+}
+
+
+
 # ----------------------------- Handling routine called via Apache and mod_perl
 sub handler {
     my $r = shift;
@@ -147,7 +174,9 @@
 		<html>
 		<script type="text/javascript">
 		function load() {
-			window.opener.document.forms["$ENV{'form.form'}"].elements["$ENV{'form.element'}"].value='$ENV{'form.acts'}';
+			window.opener.document.forms["$ENV{'form.form'}"]
+			    .elements["$ENV{'form.element'}"]
+			    .value='$ENV{'form.acts'}';
 			$extra
 			window.close();
 		}
@@ -842,7 +871,8 @@
 		   $diropen.'.gif"'); 
 	$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
 		   "\n");
-	$r->print ('<a href="javascript:gothere(\''.$filecom[0].
+	my $quotable_filecom = &javascript_escape($filecom[0]);
+	$r->print ('<a href="javascript:gothere(\''.$quotable_filecom.
 		   '\')"><img src="'.$iconpath.'server.gif"');
 	$r->print (' border="0" /></a>'."\n");
 	$r->print (&mt("Domain")." - $listname ");
@@ -869,7 +899,9 @@
 		   '.gif"'); 
 	$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
 		   "\n");
-	$r->print ('<a href="javascript:gothere(\''.$curdir.'\')"><img src='.
+	my $quotable_curdir = &javascript_escape($curdir);
+	$r->print ('<a href="javascript:gothere(\''.$quotable_curdir
+		   .'\')"><img src='.
 		   $iconpath.'quill.gif border="0" name="'.$msg.
 		   '" height="22" /></a>');
 	my $domain=(split(m|/|,$startdir))[2];
@@ -898,8 +930,9 @@
 	$r->print("<tr valign='$valign' bgcolor=$fileclr><td nowrap='1' align='top'>");
 	
         if ($ENV{'form.catalogmode'} eq 'interactive') {
+	    my $quotable_filelink = &javascript_escape($filelink);
             $r->print("<a href=\"javascript:select_data(\'",
-                      $filelink,"')\">");
+                      $quotable_filelink,"')\">");
 	    $r->print("<img src='",$iconpath,"select.gif' border='0' /></a>".
 		      "\n");
 	    $r->print("</td><td nowrap>");
@@ -958,11 +991,14 @@
 	if ($filelink=~/\.(page|sequence)$/) {
 	    $r->print('</form>');
 	}
-	$r->print (" <a href=\"javascript:openWindow('".$filelink.
+	my $quotable_filelink = &javascript_escape($filelink);
+
+
+	$r->print (" <a href=\"javascript:openWindow('".$quotable_filelink.
 		   "', 'previewfile', '450', '500', 'no', 'yes','yes')\";".
 		   " TARGET=_self>$listname</a> ");
 
-	$r->print (" (<a href=\"javascript:openWindow('".$filelink.
+	$r->print (" (<a href=\"javascript:openWindow('".$quotable_filelink.
 		   ".meta', 'metadatafile', '500', '550', 'no', 'yes','no')\"; ".
 		   "TARGET=_self>metadata</a>) ");
 	$r->print("</td>\n");
@@ -1022,7 +1058,9 @@
 	    my $source = &Apache::lonnet::metadata($filelink,'sourceavail');
 	    if($source eq 'open') {
 		my $sourcelink = &Apache::lonsource::make_link($filelink,$listname);
-		$r->print('<td>'."<a href=\"javascript:openWindow('".$sourcelink.
+		my $quotable_sourcelink = &javascript_escape($sourcelink);
+		$r->print('<td>'."<a href=\"javascript:openWindow('"
+			  .$quotable_sourcelink.
 			  "', 'previewsource', '700', '700', 'no', 'yes','yes')\";".
 			  " TARGET=_self>Yes</a> "."</td>\n");
 	    } else { #A cuddled else. :P
@@ -1099,7 +1137,9 @@
 		   'folder_pointer_'.$diropen.'.gif"');
 	$r->print (' name="'.$msg.'" height="22" type="image" border="0">'.
 		   "\n");
-	$r->print ('<a href="javascript:gothere(\''.$curdir.'\')"><img src="'.
+	my $quotable_curdir = &javascript_escape($curdir);
+	$r->print ('<a href="javascript:gothere(\''
+		   .$quotable_curdir.'\')"><img src="'.
 		   $iconpath.'folder_'.$diropen.'.gif" border="0" /></a>'.
 		   "\n");
 	$r->print ("$listname</td>\n");