From 682534f468131f79d09ef3138a44805764fc2014 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Fri, 12 Sep 2014 18:38:11 +0000
Subject: [PATCH] * i2psnark: More escape fixes
---
.../org/klomp/snark/web/I2PSnarkServlet.java | 20 +++++++++++++++++--
.../java/src/org/klomp/snark/web/URIUtil.java | 14 +++++++++++++
.../src/net/i2p/router/RouterVersion.java | 2 +-
3 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 9e346db710..a6efd082ae 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -1520,7 +1520,8 @@ public class I2PSnarkServlet extends BasicServlet {
// Can't figure out how to escape double quotes inside the onclick string.
// Single quotes in translate strings with parameters must be doubled.
// Then the remaining single quote must be escaped
- out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?", snark.getName()));
+ out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?",
+ escapeJSString(snark.getName())));
out.write("')) { return false; }\"");
out.write(" src=\"" + _imgPath + "remove.png\" alt=\"");
out.write(_("Remove"));
@@ -1540,7 +1541,8 @@ public class I2PSnarkServlet extends BasicServlet {
// Can't figure out how to escape double quotes inside the onclick string.
// Single quotes in translate strings with parameters must be doubled.
// Then the remaining single quote must be escaped
- out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?", fullBasename));
+ out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?",
+ escapeJSString(fullBasename)));
out.write("')) { return false; }\"");
out.write(" src=\"" + _imgPath + "delete.png\" alt=\"");
out.write(_("Delete"));
@@ -1652,6 +1654,20 @@ public class I2PSnarkServlet extends BasicServlet {
}
}
+ /**
+ * Make it JS and HTML-safe
+ * @since 0.9.15
+ * http://stackoverflow.com/questions/8749001/escaping-html-entities-in-javascript-string-literals-within-the-script-block
+ */
+ private static String escapeJSString(String s) {
+ return s.replace("\\", "\\u005c")
+ .replace("<", "\\u003c")
+ .replace(">", "\\u003e")
+ .replace("\"", "\\u0022")
+ .replace("'", "\\u0027")
+ .replace("&", "\\u0026");
+ }
+
/**
* Get version from bytes 3-6
* @return " w.x.y.z" or ""
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
index 10f33b0227..858b9aec8d 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
@@ -85,6 +85,8 @@ class URIUtil
case '>':
case ' ':
case ':':
+ case '[':
+ case ']':
buf=new StringBuilder(path.length()*2);
break loop;
default:
@@ -143,6 +145,12 @@ class URIUtil
case ':':
buf.append("%3A");
continue;
+ case '[':
+ buf.append("%5B");
+ continue;
+ case ']':
+ buf.append("%5D");
+ continue;
default:
if (c <= 0x1f) // includes negative
toHex(c,buf);
@@ -190,6 +198,12 @@ class URIUtil
case ':':
buf.append("%3A");
continue;
+ case '[':
+ buf.append("%5B");
+ continue;
+ case ']':
+ buf.append("%5D");
+ continue;
default:
if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c))
toHex(c,buf);
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 421ff4f630..098e16d499 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 16;
+ public final static long BUILD = 17;
/** for example "-test" */
public final static String EXTRA = "-rc";
--
GitLab