diff options
| author | cash <cash.costello@gmail.com> | 2011-11-10 21:24:47 -0500 |
|---|---|---|
| committer | cash <cash.costello@gmail.com> | 2011-11-10 21:24:47 -0500 |
| commit | 8cf115081e7a168eb3f3c74b279dac7f4e258287 (patch) | |
| tree | e9a9ed6ac76722bcb6059d1a93e8aa98799a1c41 /js/lib | |
| parent | 2d43e8efdfa4e8281450e683e392091fe4dadf06 (diff) | |
| download | elgg-8cf115081e7a168eb3f3c74b279dac7f4e258287.tar.gz elgg-8cf115081e7a168eb3f3c74b279dac7f4e258287.tar.bz2 | |
Fixes #4010 not sending naked query strings into add ajax tokens and also fixed a few related bugs in JavaScript
Diffstat (limited to 'js/lib')
| -rw-r--r-- | js/lib/ajax.js | 6 | ||||
| -rw-r--r-- | js/lib/elgglib.js | 68 | ||||
| -rw-r--r-- | js/lib/security.js | 18 |
3 files changed, 28 insertions, 64 deletions
diff --git a/js/lib/ajax.js b/js/lib/ajax.js index 6f6ae052f..b3f39cc42 100644 --- a/js/lib/ajax.js +++ b/js/lib/ajax.js @@ -187,7 +187,11 @@ elgg.action = function(action, options) { options = elgg.ajax.handleOptions(action, options); - options.data = elgg.security.addToken(options.data); + // This is a misuse of elgg.security.addToken() because it is not always a + // full query string with a ?. As such we need a special check for the tokens. + if (!elgg.isString(options.data) || options.data.indexOf('__elgg_ts') == -1) { + options.data = elgg.security.addToken(options.data); + } options.dataType = 'json'; //Always display system messages after actions diff --git a/js/lib/elgglib.js b/js/lib/elgglib.js index ca7914e7c..81209ebd0 100644 --- a/js/lib/elgglib.js +++ b/js/lib/elgglib.js @@ -410,16 +410,6 @@ elgg.parse_url = function(url, component, expand) { // fragment + '(?:#(.*))?)', keys = { - 'mailto': { - 4: "scheme", - 5: "user", - 6: "host", - 9: "path", - 12: "query", - 13: "fragment" - }, - - 'standard': { 1: "scheme", 4: "user", 5: "pass", @@ -428,58 +418,28 @@ elgg.parse_url = function(url, component, expand) { 9: "path", 12: "query", 13: "fragment" - } }, - results = {}, - match_keys, - is_mailto = false; + results = {}; - var re = new RegExp(re_str); - var matches = re.exec(url); - - // if the scheme field is undefined it means we're using a protocol - // without :// and an @. Feel free to fix this in the re if you can >:O - if (matches[1] == undefined) { - match_keys = keys['mailto']; - is_mailto = true; - } else { - match_keys = keys['standard']; + if (url.indexOf('mailto:') === 0) { + results['scheme'] = 'mailto'; + results['path'] = url.replace('mailto:', ''); + return results; } - for (var i in match_keys) { - if (matches[i]) { - results[match_keys[i]] = matches[i]; - } + if (url.indexOf('javascript:') === 0) { + results['scheme'] = 'javascript'; + results['path'] = url.replace('javascript:', ''); + return results; } - // merge everything to path if not standard - if (is_mailto) { - var path = '', - new_results = {}; - - if (typeof(results['user']) != 'undefined' && typeof(results['host']) != 'undefined') { - path = results['user'] + '@' + results['host']; - delete results['user']; - delete results['host']; - } else if (typeof(results['user'])) { - path = results['user']; - delete results['user']; - } else if (typeof(results['host'])) { - path = results['host']; - delete results['host']; - } - - if (typeof(results['path']) != 'undefined') { - results['path'] = path + results['path']; - } else { - results['path'] = path; - } + var re = new RegExp(re_str); + var matches = re.exec(url); - for (var prop in results) { - new_results[prop] = results[prop]; + for (var i in keys) { + if (matches[i]) { + results[keys[i]] = matches[i]; } - - results = new_results; } if (expand && typeof(results['query']) != 'undefined') { diff --git a/js/lib/security.js b/js/lib/security.js index 726c6b767..61aa1cfcd 100644 --- a/js/lib/security.js +++ b/js/lib/security.js @@ -60,7 +60,7 @@ elgg.security.refreshToken = function() { /** - * Add elgg action tokens to an object, URL, or query string. + * Add elgg action tokens to an object, URL, or query string (with a ?). * * @param {Object|string} data * @return {Object} The new data object including action tokens @@ -75,17 +75,17 @@ elgg.security.addToken = function(data) { args = {}, base = ''; - if (parts['host'] == data) { - if (data.indexOf('=') > -1) { + if (parts['host'] == undefined) { + if (data.indexOf('?') === 0) { // query string - args = elgg.parse_str(data); - } else { - // relative URL - base = data + '?'; + base = '?'; + args = elgg.parse_str(parts['query']); } } else { - // a URL - if (typeof parts['query'] != 'undefined') { + // full or relative URL + + if (parts['query'] != undefined) { + // with query string args = elgg.parse_str(parts['query']); } var split = data.split('?'); |