Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixes interactive.harbor issues. ref #3418 #3420

Merged
merged 4 commits into from
Sep 24, 2023
Merged

fixes interactive.harbor issues. ref #3418 #3420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f0f2356
fixes interactive.harbor issues. ref #3418
ghostnumber7 Sep 21, 2023
9303c77
move HTML entities escape to string.estape.html
ghostnumber7 Sep 22, 2023
c59b7dd
code review changes
ghostnumber7 Sep 22, 2023
48ff021
use string.escape
ghostnumber7 Sep 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/libs/extra/interactive.liq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,7 @@ def interactive.harbor(
}
}
if (interactive[i].type != 'button') {
data = data.concat(interactive[i].name+'='+interactive[i].value)+'&';
data = data.concat(interactive[i].name+'='+encodeURIComponent(interactive[i].value))+'&';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it just me, or encodeURIComponent doesn't exist?

Copy link
Contributor Author

@ghostnumber7 ghostnumber7 Sep 23, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

encodeURIComponent is on javascript side. It's standard (doc). Basically there to fix the issues with =&+ chars. Needed because those are special chars for URLs only (=& used for querystrings and + used as an space). Alternative solution would be to change the method to POST instead of using GET and using multipart/form-data or alike

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just figured out this is a JS code.

}
}
console.log('Posting: ' + data);
Expand Down Expand Up @@ -530,7 +530,7 @@ def interactive.harbor(
description =
if description == "" then name else "#{description} (#{name})" end

add("<label for=#{name}>#{description}</label>")
add("<label for=#{name}>#{string.escape.html(description)}</label>")
common =
"id='#{name}' name='#{name}' class='interactive' onchange=\"send()\""

Expand Down Expand Up @@ -571,7 +571,7 @@ def interactive.harbor(
v.type == "string"
then
v = list.assoc(name, variables_string())
add("<input type='text' #{common} value='#{v.ref()}'>")
add("<input type='text' #{common} value='#{string.escape.html(v.ref())}'>")
elsif
v.type == "unit"
then
Expand Down
26 changes: 26 additions & 0 deletions src/libs/string.liq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,3 +381,29 @@ let string.char.ascii.number = list.init(10, fun (c) -> c + 48)
def string.char.ascii.random(range=[...string.char.ascii]) =
string.char(list.nth(range, random.int(min=0, max=list.length(range) - 1)))
end

# Escape HTML entities.
# @category String
# @argsof string.escape[encoding]
def string.escape.html(%argsof(string.escape[encoding]), s) =
escaped =
[
("&", "&amp;"),
("<", "&lt;"),
(">", "&gt;"),
('"', "&quot;"),
("'", "&#39;")
]
def special_char(~encoding=_, c) =
list.assoc.mem(c, escaped)
end
def escape_char(~encoding=_, c) =
escaped[c]
end
string.escape(
%argsof(string.escape[encoding]),
special_char=special_char,
escape_char=escape_char,
s
)
end
16 changes: 16 additions & 0 deletions tests/language/string.liq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,19 @@ def f() =
end

test.check(f)

def test_escape_html() =
test.equals(string.escape.html("&"), "&amp;")
test.equals(string.escape.html("<"), "&lt;")
test.equals(string.escape.html(">"), "&gt;")
test.equals(string.escape.html('"'), "&quot;")
test.equals(string.escape.html("'"), "&#39;")
test.equals(string.escape.html("&<>\"'"), "&amp;&lt;&gt;&quot;&#39;")
test.equals(string.escape.html("not escaped"), "not escaped")
test.equals(string.escape.html("&quot;double escape&quot;"), "&amp;quot;double escape&amp;quot;")
test.equals(string.escape.html("\\"), "\\")
test.equals(string.escape.html("/"), "/")
test.equals(string.escape.html("`"), "`")
end

test.check(test_escape_html)
Loading