@sgiehl opened this Pull Request on September 29th 2020 Member

fixes #16433

@sanchezzzhak commented on September 29th 2020

encodeURIComponent not escape special chars !'()*
helper method safe escape value

function buildQueryEscape(param) {
  return encodeURIComponent(param).replace(/[!'()*]/g, x => `%${x.charCodeAt(0).toString(16).toUpperCase()}`);
}

To create a key and value string, I use the equivalent of http_query_builder, which is found in PHP

function buildQuery(queryData, numericPrefix = null, argSeparator = '&', tempKey = null) {
  if (queryData === null) {
    return '';
  }

  let query = Object.keys(queryData).map(k => {
    let res;
    let key = k;
    if (tempKey) {
      key = tempKey + '[' + key + ']';
    }
    if (typeof queryData[k] === 'object') {
      res = buildQuery(queryData[k], null, argSeparator, key);
    } else {
      if (numericPrefix) {
        let isNum = !isNaN(parseFloat(key)) && isFinite(key);
        key = isNum ? numericPrefix + Number(key) : key;
      }
      if (queryData[k] !== '' && queryData[k]!== undefined && queryData[k]!== null) {
        let val = queryData[k];
                // convert boolean value to int
        if (val === true) {
          val = '1';
        } else if (val === false) {
          val = '0';
        }
        res = buildQueryEscape(key) + '=' + buildQueryEscape(val);
      }
    }
    return res;
  });

  query = query.filter((w) => {
    return w !== undefined /* w !== null */;
  });
  return query.join(argSeparator).replace(/[!'()*]/g, '');
}

test

https://jsfiddle.net/sanchezzzhak/bs3fq7jg/9/

image

@tsteur commented on September 29th 2020 Member

@sgiehl looks good

@sanchezzzhak thanks for this. Didn't even know. Do these characters need to be escaped in the URL? I was reading https://stackoverflow.com/questions/18251399/why-doesnt-encodeuricomponent-encode-single-quotes-apostrophes/18251730 and it may not be needed?

Note that angular will also escape it further to prevent eg any XSS.

@sanchezzzhak commented on September 29th 2020

@tsteur I had problems parsing get string data in nodejs on special characters
then I wondered how php does it
https://3v4l.org/cvjla

@tsteur commented on September 29th 2020 Member

Thanks @sanchezzzhak For now we only rename the parameters to fix the particular issue then we could in a separate PR apply the other fix if you're maybe keen on creating one?

@sanchezzzhak commented on September 30th 2020

@tsteur I'm currently busy adding device definitions. Maybe when I have nothing to do.

This Pull Request was closed on September 29th 2020
Powered by GitHub Issue Mirror