execsync fails if passed special characters - javascript

I am trying to run a some commands on video files for processing. The video filenames may contain special characters like spaces, ' and ", among others. Because of this, my first attempt breaks on multiple files:
objMedInfo = JSON.parse(proc.execSync('mediainfo "' + currentfilename + '" --output=JSON').toString());
I then thought perhaps a different format would be more robust:
objMedInfo = JSON.parse(proc.execSync("mediainfo", [currentfilename,"--output=JSON"]).toString());
However, it won't run at all. Can someone help?
(Particularly, why doesn't the second form work?)

Not sure if this will help, and seems like a band-aid.
execSync in node.js doesn't run shell command properly
Hopefully can provide some help until someone smarter sees this :).

You need to escape the quotes and prevent any cmd injection shinanigans.
function shellescape(a) {
let ret = []
a.forEach(function (s) {
if (/[^A-Za-z0-9_/:=-]/.test(s)) {
s = "'" + s.replace(/'/g, "'\\''") + "'"
s = s.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'")
}
ret.push(s)
})
return ret.join(' ')
}
currentfilename = 'filenames"with\'quotesAnd Spaces;shutdown now;.jpg'
console.log('mediainfo ' + shellescape([currentfilename]) + ' --output=JSON')
// mediainfo 'filenames"with'\''quotesAnd Spaces;shutdown now;.jpg' --output=JSON

Related

Javascript .indexof 'typeError' error despite forcing string conversion

JS drives me insane with issues like this. I have the following code which creates a string (composed of session data and date information) to be written to an array, as such:
var _writes = String(req.session.subscriber + ":" + req.session.postal + "[" + req.session.id + "]=" + _onYear + "-" + _onMonth + "-" + _onDay + "-" + _onHour + "-" + _onMinute);
_users.push(_writes);
Later, I wish to perform an 'indexof' command on the string of the array, as such:
for (_cycle = 0; _cycle < _users.length; ++_cycle) {
_seeks = String(_users[_cycle]);
_score = _seeks.indexof("="); //ERROR THROWN HERE
//do other stuff here...
} //for loop
My error is "TypeError: _seeks.indexof is not a function"...? I thought by converting everything to a string I should be able to perform the 'indexof' command. Can somebody please advise what the issue is here? I thank you in advance.
Probably not a js issue. You are using "indexof" instead of "indexOf" (Uppercase O). Check https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf
It should be:
_seeks.indexOf("=");
Don't give up, it will make sense soon :)

Parse email by RegExp in JavaScript in one line; make right case insensitive but keep left

From my code:
//yagh ... apparently there's an off-chance email is case sensitive ...
console.log('yooooooooo0 ' + name.substr(name.indexOf('#')+1));
//console.log('yooooooooo1 ' + name.substr(name.indexOf('#')+1).toLowercase());
console.log('yooooooooo1 ' + name.substr(name.indexOf('#')+1).toLowerCase());
console.log('yooooooooo2 ' + name.substr(name.indexOf('#'),0));
console.log('yooooooooo3 ' + name.split('#')[0]);
console.log('yooooooooo4 ' + /[^#]*/.exec(name)[0]);//hmmm mh
console.log('yooooooooo4_2 ' + /[^#]*$/.exec(name)[0]);//hmmm mh
//hm yea okay ya
console.log(name);//nondestructive and
//pff ...
console.log((/[^#]*/.exec(name)[0])+'#'+(/[^#]*$/.exec(name)[0]).toLowerCase);
let tmp = (/[^#]*/.exec(name)[0])+'#'+ (/[^#]*$/.exec(name)[0]).toLowerCase;
console.log(tmp);
console.log((/[^#]*/.exec(name)[0])+'#'+name.substr(name.indexOf('#')+1).toLowerCase());
var pass = $('#pass1').val();
var crypto = window.crypto || window.msCrypto;
if(crypto.subtle)
{
Say the email that comes with is a#b.C. The point is, I just found that email is only case insensitive right of the #. In theory, admins can choose to let that slide, but in practice most won't to prevent confusion (is what I read).
I want:
console.log((/[^#]*/.exec(name)[0])+'#'+(/[^#]*$/.exec(name)[0]).toLowerCase);
I have a working bit that is:
console.log((/[^#]*/.exec(name)[0])+'#'+name.substr(name.indexOf('#')+1).toLowerCase());
The first one gives me:
a#function toLowerCase(){
[native code]
}
And the second:
a#b.c
Which is fine, but the first one is prettier and less readable, which is great since no one else will be on it, ever.
Is there some way to make the first one work? (Assigning it to let tmp= gives the same reply when log (tmp).
Replace
console.log((/[^#]*/.exec(name)[0])+'#'+(/[^#]*$/.exec(name)[0]).toLowerCase);
by
console.log((/[^#]*/.exec(name)[0])+'#'+(/[^#]*$/.exec(name)[0]).toLowerCase());
You could also do this
const email = 'some.name#some_domain.com'
const [name, domain] = email.split('#')
console.log(`${name}#${domain}`);

First character of a string fusionning with a %

So i'm sending a String with javascript to a php page :
if(cp.value!=''){
s+=cp.name +" LIKE '%"+ cp.value +"%'";
console.log(s);
if(sec.value!=''){
s+=" AND "+sec.name+" LIKE '%"+ sec.value +"%'";
console.log(s);
}
}
else{
if(sec.value!=''){disappear
s+=sec.name+" LIKE '%"+ sec.value +"%'";
}
}
console.log(s);
if(s.length!=0){
var connect = new XMLHttpRequest();
connect.onreadystatechange=function(){
if (connect.readyState==4 && connect.status==200){
var resu=connect.responseText;
console.log(resu);
var tab=document.getElementById("main_tab");
tab.innerHTML=resu;
}
};
connect.open("POST","../../Controller/stage.php",false);
connect.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
connect.send("s="+s);
}
}
The string sent is for exemple :
CP_Stage LIKE '%90%' AND secteur_stage LIKE '%ait%'
But when i print the request in the php page i have something like :
SELECT * FROM Stage WHERE CP_Stage LIKE '�%' AND secteur_stage LIKE '%ait%';
i have no idea why my first number disappear with the first %.
If anyone have an idea it would be awesome, thanks !
The percent-sign is a special charcter. Any special characters like %,&,? etc need to be encoded. Your "%90" is converted to an Ascii-Value. You have to encode these values with encodeURIComponent.
s += cp.name + " LIKE '" + encodeURIComponent("%" + cp.value + "%") + "'";
Note that encodeURIComponent does not escape the ' character. If your cp.value has an ' you have to replace it with its encoding value: %27.
By the way.. its a bad idea to send mySQL-queries from client-side - thats a major security flaw. Send only the values and build your queries on server-side.

Unexpected Token Illegal with onclick Java Script in Salesforce.com

I have been working on this most of the morning but to no end. I am trying to execute a button that uses OnClick Java in Salesforce.com and it keeps throwing errors. I think the issue may be with special characters in the data as it works when I simply use just text. But any time numbers or any special characters are present I get the error "unexpected token ILLEGAL". Can anyone help me to see what I am doing wrong and how I can get away from failing when special characters are involved?
{!REQUIRESCRIPT("/soap/ajax/28.0/connection.js")}
var opptyObj = new sforce.SObject("Opportunity");
var caseObj = new sforce.SObject("Case");
var today = new Date();
var sOpptyId = "{!Case.Opportunity__c}";
if( sOpptyId != "")
{
alert("This case is already tied to an opportunity!");
}
else
{
opptyObj.AccountId = "{!Case.AccountId}";
opptyObj.CloseDate = sforce.internal.dateTimeToString(today);
opptyObj.Description="{!Case.Description}";
opptyObj.Case__c = "{!Case.Id}";
opptyObj.Name = "{!Case.Subject}";
opptyObj.StageName = "Estimate in Progress";
opptyObj.Created_from_Case__c = "Y";
opptyObj.Type = "New Business";
opptyObj.Amount = ".01";
var opptyresult = sforce.connection.create([opptyObj]);
if (opptyresult[0].success=='false')
{
alert("Opportunity creation failed: " + opptyresult[0].errors.message);
}
else
{
caseObj.Id = '{!Case.Id}';
caseObj.Opportunity__c = opptyresult[0].id;
caseObj.Status = "Estimate in Progress";
var caseResult = sforce.connection.update([caseObj]);
if(caseResult[0].success == 'false')
{
alert("Case update failed: " + caseResult[0].errors.message);
}
else
{
alert("An opportunity has been created and linked to this case.");
location.reload(true);
}
}
}
Assuming this is some kind of template, whatever is rendering this needs to properly escape some values in the strings it's inserting.
Given this:
opptyObj.Description="{!Case.Description}";
Let's say I enter a description consisting of this:
"That is awesome," said John.
When that is rendered in your template the result is this:
opptyObj.Description=""That is awesome," said John.";
As you might be able to see, the result is a syntax error.
You need to escape quote characters in an text inserted this way. And without knowing what is technology rendering this template I can't give you any specifics, but you want to replace " with \" and ' with \'. The \ escapes characters, forcing them to be treated as literal characters in the string instead of other special meaning.
This must be done as it's being inserted into the script. Something in the spirit of this:
opptyObj.Description="{!Case.Description.replace(/'/, "\\'").replace(/"/, '\\"')}
Exactly how to do that depends on what language or template engine is being used here. But th eresult should look like this:
opptyObj.Description="\"That is awesome,\" said John.";
Ruby on Rails implements an escape_javascript method, which sanitizes data for injection into Javascript. It does the following replacements. It seems like a good baseline.
'\\' => '\\\\'
'</' => '<\/'
"\r\n" => '\n'
"\n" => '\n'
"\r" => '\n'
'"' => '\\"'
"'" => "\\'"
UPDATE:
According to this: http://www.salesforce.com/us/developer/docs/pages/Content/pages_security_tips_scontrols.htm
It looks like you want the JSENCODE function. Something like this, perhaps?
opptyObj.Description="{!JSENCODE(Case.Description)}";

Why are there non-breaking spaces in my page title?

I'm injecting a script via JSONP and using it to call a method in my web application like so:
(function jsonp(src){
var b = document.body;
var t = document.title;
var u = encodeURI(document.location.href);
var o = document.getElementById('srv-call');
o && b.removeChild(o);
var s = document.createElement('script');
s.id = 'srv-call';
s.src = src + '?w=' + textSelection + '&cb=autoCall&u=' + u + '&pt=' + t + '&t=' + (new Date().getTime());
b.appendChild(s);
})('http://localhost:8888/wordmark/words/add_word');
Unfortunately, my document.title is getting filled with non-breaking spaces. An example http request is this:
http://localhost:8888/wordmark/words/add_word?w=problems&cb=autoCall&u=http://www.boingboing.net/2010/10/01/kid-demonstrates-eng.html&pt=%E2%80%8BK%E2%80%8Bi%E2%80%8Bd%E2%80%8B%20%E2%80%8Bd%E2%80%8Be%E2%80%8Bm%E2%80%8Bo%E2%80%8Bn%E2%80%8Bs%E2%80%8Bt%E2%80%8Br%E2%80%8Ba%E2%80%8Bt%E2%80%8Be%E2%80%8Bs%E2%80%8B%20%E2%80%8BE%E2%80%8Bn%E2%80%8Bg%E2%80%8Bl%E2%80%8Bi%E2%80%8Bs%E2%80%8Bh%E2%80%8B%20%E2%80%8Bl%E2%80%8Ba%E2%80%8Bn%E2%80%8Bg%E2%80%8Bu%E2%80%8Ba%E2%80%8Bg%E2%80%8Be%E2%80%8B%20%E2%80%8Bi%E2%80%8Bn%E2%80%8B%20%E2%80%8B2%E2%80%8B4%E2%80%8B%20%E2%80%8Ba%E2%80%8Bc%E2%80%8Bc%E2%80%8Be%E2%80%8Bn%E2%80%8Bt%E2%80%8Bs%E2%80%8B%20%E2%80%8B-%E2%80%8B%20%E2%80%8BB%E2%80%8Bo%E2%80%8Bi%E2%80%8Bn%E2%80%8Bg%E2%80%8B%20%E2%80%8BB%E2%80%8Bo%E2%80%8Bi%E2%80%8Bn%E2%80%8Bg&t=1285982312594
The script that is injected in the page has the correct src, but the HTTP request is incorrect. Any idea why these are being inserted and if I have any way to avoid this, other than parsing them out via regex?
Thanks so much for any help you can give.
And I just realized the culprit. I apologize for wasting everyone's time, but in the event anyone else runs across this problem, the issue was the SMRT Safari Extension to alter Safari's URL auto-complete feature. -1 for me for not disabling all extensions and trying multiple browsers. Thanks, all.
Have you tried with decodeURIComponent(t) instead of just t?
s.src = src + '?w=' + textSelection + '&cb=autoCall&u=' + u + '&pt=' + decodeURIComponent(t) + '&t=' + (new Date().getTime());
what you need to do is take the variable t off in your line that says
s.src = src + '?w=' + textSelection + '&cb=autoCall&u=' + u + '&pt=' + t + '&t=' + (new Date().getTime());
so your link would look something like this instead:
http://localhost:8888/wordmark/words/add_word?w=problems&cb=autoCall&u=http://www.boingboing.net/2010/10/01/kid-demonstrates-eng.html&&t=1285982312594
and if you must have the t variable then insert it into the line like so
....(code before) '&pt=' + decodeURIComponent(t) + (code after)......
Hope this helps. thanks
PK
Those are not non-breaking spaces, but zero-width spaces (U+200B). They are normally not visible, and may be present in the original title (for text wrapping, or whatever other reason).

Categories

Resources