* i2psnark: More escape fixes

2014-09-12 18:38:11 +00:00
parent 09dfea7dea
commit 682534f468
3 changed files with 33 additions and 3 deletions
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@ -1520,7 +1520,8 @@ public class I2PSnarkServlet extends BasicServlet {
                // Can't figure out how to escape double quotes inside the onclick string.
                // Single quotes in translate strings with parameters must be doubled.
                // Then the remaining single quote must be escaped
-                out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?", snark.getName()));
+                out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?",
+                            escapeJSString(snark.getName())));
                out.write("')) { return false; }\"");
                out.write(" src=\"" + _imgPath + "remove.png\" alt=\"");
                out.write(_("Remove"));
@ -1540,7 +1541,8 @@ public class I2PSnarkServlet extends BasicServlet {
            // Can't figure out how to escape double quotes inside the onclick string.
            // Single quotes in translate strings with parameters must be doubled.
            // Then the remaining single quote must be escaped
-            out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?", fullBasename));
+            out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?",
+                        escapeJSString(fullBasename)));
            out.write("')) { return false; }\"");
            out.write(" src=\"" + _imgPath + "delete.png\" alt=\"");
            out.write(_("Delete"));
@ -1652,6 +1654,20 @@ public class I2PSnarkServlet extends BasicServlet {
        }
    }

+    /**
+     *  Make it JS and HTML-safe
+     *  @since 0.9.15
+     *  http://stackoverflow.com/questions/8749001/escaping-html-entities-in-javascript-string-literals-within-the-script-block
+     */
+    private static String escapeJSString(String s) {
+        return s.replace("\\", "\\u005c")
+                .replace("<", "\\u003c")
+                .replace(">", "\\u003e")
+                .replace("\"", "\\u0022")
+                .replace("'", "\\u0027")
+                .replace("&", "\\u0026");
+    }
+
    /**
     *  Get version from bytes 3-6
     *  @return " w.x.y.z" or ""
--- a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
@ -85,6 +85,8 @@ class URIUtil
                    case '>':
                    case ' ':
                    case ':':
+                    case '[':
+                    case ']':
                        buf=new StringBuilder(path.length()*2);
                        break loop;
                    default:
@ -143,6 +145,12 @@ class URIUtil
                      case ':':
                          buf.append("%3A");
                          continue;
+                      case '[':
+                          buf.append("%5B");
+                          continue;
+                      case ']':
+                          buf.append("%5D");
+                          continue;
                      default:
                          if (c <= 0x1f) // includes negative
                              toHex(c,buf);
@ -190,6 +198,12 @@ class URIUtil
                        case ':':
                            buf.append("%3A");
                            continue;
+                        case '[':
+                            buf.append("%5B");
+                            continue;
+                        case ']':
+                            buf.append("%5D");
+                            continue;
                        default:
                            if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c))
                                toHex(c,buf);