javascript and html character escaping - javascript

I have this problem:
I have a javascript, saved in a database field, that is going to be used in a web page as a href target, e.g.
insert into table_with_links (id, url)
values (1, 'javascript:var url="blö blö";.....');
// run scripts that use the database values to generate web pages
// part of the generated html code:
<a href="javascript:var url='blabla';..... </a>
So far no problems. I have german letters (Umlaute - e.g. ö) in the javascript. I shouldn't save the german letters in the database, so I escape them:
insert into table_with_links (id, url)
values (1, 'javascript:var url="bl%F6 bl%F6";.....');
Now comes the problem - I shouldn't store the % sign in the database either, because the scripts that generate the web pages cannot handle it properly. I guess you can imagine how these scripts are 3-rd party scripts and cannot be changed.
So, my question is - can I also escape the % sign?

did you tryed this? :
var str= "remove the %";
var str_n = str.replace("%","");
here are the basics http://www.w3schools.com/jsref/jsref_replace.asp
then you can use an array of chars to replace take a look here javascript replace globally with array

I would suggest using oracle's built in internationalization, Oracle is capable of handling special german characters:
http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/u_i18n.htm
If you want to handle it on your own, I would suggest doing a string replace to some sequence you know:
var str = str.replace(/ö/g,"[german-umlaute]");
(the g at the end of /ö/g is to replace all occurrences in the string)

Related

Regex in Google Apps Script practical issue. Forms doesn't read regex as it should

I hope its just something i'm not doing right.
I've been using a simple script to create a form out of a spreadsheet. The script seems to be working fine. The output form is going to get some inputs from third parties so i can analyze them in my consulting activity.
Creating the form was not a big deal, the structure is good to go. However, after having the form creator script working, i've started working on its validations, and that's where i'm stuck at.
For text validations, i will need to use specific Regexes. Many of the inputs my clients need to give me are going to be places' and/or people's names, therefore, i should only allow them usign A-Z, single spaces, apostrophes and dashes.
My resulting regexes are:
//Regex allowing a **single name** with the first letter capitalized and the occasional use of "apostrophes" or "dashes".
const reg1stName = /^[A-Z]([a-z\'\-])+/
//Should allow (a single name/surname) like Paul, D'urso, Mac'arthur, Saint-Germaine ecc.
//Regex allowing **composite names and places names** with the first letter capitalized and the occasional use of "apostrophes" or "dashes". It must avoid double spaces, however.
const regNamesPlaces = /^[^\s]([A-Z]|[a-z]|\b[\'\- ])+[^\s]$/
//This should allow (names/surnames/places' names) like Giulius Ceasar, Joanne D'arc, Cosimo de'Medici, Cosimo de Medici, Jean-jacques Rousseau, Firenze, Friuli Venezia-giulia, L'aquila ecc.
Further in the script, these Regexes are called as validation pattern for the forms text items, in accordance with each each case.
//Validation for single names
var val1stName = FormApp.createTextValidation()
.setHelpText("Only the person First Name Here! Use only (A-Z), a single apostrophe (') or a single dash (-).")
.requireTextMatchesPattern(reg1stName)
.build();
//Validation for composite names and places names
var valNamesPlaces = FormApp.createTextValidation()
.setHelpText(("Careful with double spaces, ok? Use only (A-Z), a single apostrophe (') or a single dash (-)."))
.requireTextMatchesPattern(regNamesPlaces)
.build();
Further yet, i have a "for" loop that creates the form based on the spreadsheets fields. Up to this point, things are working just fine.
for(var i=0;i<numberRows;i++){
var questionType = data[i][0];
if (questionType==''){
continue;
}
else if(questionType=='TEXTNamesPlaces'){
form.addTextItem()
.setTitle(data[i][1])
.setHelpText(data[i][2])
.setValidation(valNamesPlaces)
.setRequired(false);
}
else if(questionType=='TEXT1stName'){
form.addTextItem()
.setTitle(data[i][1])
.setHelpText(data[i][2])
.setValidation(val1stName)
.setRequired(false);
}
The problem is when i run the script and test the resulting form.
Both validations types get imported just fine (as can be seen in the form's edit mode), but when testing it in preview mode i get an error, as if the Regex wasn't matching (sry the error message is in portuguese, i forgot to translate them as i did with the code up there):
A screenshot of the form in edit mode
A screeshot of the form in preview mode
However, if i manually remove the bars out of this regex "//" it starts working!
A screenshot of the form in edit mode, Regex without bars
A screenshot of the form in preview mode, Regex without bars
What am i doing wrong? I'm no professional dev but in my understanding, it makes no sense to write a Regex without bars.
If this is some Gforms pattern of reading regexes, i still need all of this to be read by the Apps script that creates this form after all. If i even try to pass the regex without the bars there, the script will not be able to read it.
const reg1stName = ^[A-Z]([a-z\'])+
const regNamesPlaces = ^[^\s]([A-Z]|[a-z]|\b[\'\- ])+[^\s]$
//Can't even be saved. Returns: SyntaxError: Unexpected token '^' (line 29, file "Code.gs")
Passing manually all the validations is not an option. Can anybody help me?
Thanks so much
This
/^[A-Z]([a-z\'\-])+/
will not work because the parser is trying to match your / as a string literal.
This
^[A-Z]([a-z\'\-])+
also will not work, because if the name is hyphenated, you will only match up to the hyphen. This will match the 'Some-' in 'Some-Name', for example. Also, perhaps you want a name like 'Saint John' to pass also?
I recommend the following :)
^[A-Z][a-z]*[-\.' ]?[A-Z]?[a-z]*
^ anchors to the start of the string
[A-Z] matches exactly 1 capital letter
[a-z]* matches zero or more lowercase letters (this enables you to match a name like D'Urso)
[-\.' ]? matches zero or 1 instances of - (hyphen), . (period), ' (apostrophe) or a single space (the . (period) needs to be escaped with a backslash because . is special to regex)
[A-Z]? matches zero or 1 capital letter (in case there's a second capital in the name, like D'Urso, St John, Saint-Germaine)

Hashtag linking in AngularJS and JS

I'm new to regex expressions and don't really understand them. I'm getting comments from a PHP script that may or may not include hashtags. I need to create a link out of the hashtag (not including urls or if the hashtag has a commas or a space in it)
So far I've looked online and found this:
string = string.replace(/(^|\s)(#[a-z\d-]+)/ig, "$1$2");
However, the link generated is:
#thenameofhashtag
I need to be able to exclude the hashtag from the tag= variable line. How can I modify the expression to achieve this and are there any angularJS way's of doing this? Additionally, are languages (Chinese, Japanese, etc) or characters that are not in UTF-8 encoded create problems?
You can exclude the # from the capturing group so that it is not captured in $2 as
(^|\s)#([a-z\d-]+)/ig
#([a-z\d-]+) Here the # is moved outside so that only [a-z\d-]+ is captured
Example
string.replace(/(^|\s)#([a-z\d-]+)/ig, "$1#$2");
// => #thenameofhashtag

How to encode and decode HTML special characters to get entity name

The character set is mentioned at Special Character Map. I need a Java-script or J-Query encoding code to get entity name.
for e.g. if I pass £ then I should get "&pound ;" or for ¥ it should return "&yen ;".
Even I copy the symbols instead of typing in then also it should work.
I am trying to use following J-Query code but it doesn't seem to work when I copy-paste strings.
function krEncodeEntities() {
var s = $('#input').val();
return $('#lblEncode').text($("<div/>").text(s).html());
}
function krDencodeEntities() {
var s = $('#lblEncode').text();
return $('#lblDecode').text($("<div/>").html(s).text());
}
Can anyone please help me?
JavaScript has no concept of HTML identities. To JS, everything is UCS16 (a forerunner of UTF16).
You have a couple of options.
Option 1
Make a big translation object of characters and their identities.
Option 2
See if some other form of encoding will work for you.
When are you supposed to use escape instead of encodeURI / encodeURIComponent?

How do you define a string in JavaScript that could contain any character?

Even though I'm using a Salesforce variable in my JavaScript, it is not necessary to know Salesforce to answer my question. There's a password field I want to access. I can do this by using the Salesforce variable, {!Account.Password__c}, inside my JavaScript like so:
var p = '{!Account.Password__c}';
I've been using this for a long time, but there are some instances where it doesn't work. The only problem is that the password could contain any character (as a good password should). So if it contains a single quote, then this JavaScript will not run. I could write it with double quotes:
var p = "{!Account.Password__c}";
But it could contain a double quote also. It could also contain forward slashes and/or back slashes.
The password string needs to be able to take any of these:
Idon'tknow
pass"word"
/-\_|)_/-\_/\/\
"'!##
+*co/rn
This is my code:
var u = '{!Account.Email_Address__c}';
var p = escape(encodeURIComponent('{!Account.Password__c}'));
window.open('http://mywebsite.com/?&u=' + u + '&p=' + p,'_blank');
What you're looking for is the JSENCODE function. It will escape quotes, backslashes, and anything else that might mess up your Javascript string.
var p = '{!JSENCODE(Account.Password__c)}';
If your Javascript is inside an HTML tag (eg: in an 'onclick' attribute) then use the JSINHTMLENCODE function, which will html-encode the characters <&> .
These are documented in the Visualforce Functions reference.
Your problem is that of escaping. You can backslash any character in a string - so if you have, say, owowow"'!thisishard as a password, to assign it straight up to a JS var, you would do this:
var p = "owowow\"\'!thisishard";
Which deals with the escaping. You do not need to do this if you have acquired the variable from another source (say, a text element through element.value).
This does not reove a couple of issues:
Passing passwords through GET params is pretty high up on the OWASP guidelines of things not to do. The reason being that they will show up on server logs in addition to being sniffable through conventional means.
Why on earth are you doing this?

Store Html.Raw() in a string in Javascript, ASP.NET MVC 3

I'm using ASP.NET and I have a string of HTML in the database.
I want to get that html into a variable on the client.
If I do this:
var x = '#Html.Raw(myModel.FishValue)'
it works fine, because it's essentially doing
var x = '<p>hello!</p>';
however if there are quotes in the html it breaks the page.
My initial guess would be to .Replace the raw string to add escapes to the quotes, however both .ToString() and .ToHtmlString() (as Html.Raw returns an IHtmlString) do not produce the same markup as simple Html.Raw().
So I'm at a loss of what best to do.
What about replacing before calling the Html.Rawmethod?
var x = '#Html.Raw(myModel.FishValue.Replace("'","\\'"))'
UPDATE:
There might be other escape chars in the string coming from the model. For that reason I would recommend replacing the slashes first as well. Of course it all depends on what might come from the server in your model.
var x = '#Html.Raw(myModel.FishValue.Replace("\\","\\\\'").Replace("'","\\'"))'
A sample snippet representing the behavior in the javascript:
//Let's say my Model Content is > I'd Say \ is a escape character. You can't "Escape"
// YOu would have to replace ' --> \' and \ --> \\
var stringFromServer = 'I\'d Say \\ is a escape character. You can\'t "Escape"'
alert(stringFromServer)
Try this:
var x = '#(System.Web.HttpUtility.HtmlEncode(myModel.FishValue))';
If you need to decode the HTML on the client side use
unescape(x)
I think JQuery (not sure if you're using it or not) handles encoded HTML strings so you might not need unescape().
Try out the anti-xss library from Microsoft (which will be included I believe by default in asp.net 4.5):
AntiXss.JavascriptEncode(yourContent)
Anti-Xss is available 4.1 beta. If you want to use it in your application which I highly recommend, check out:
http://weblogs.asp.net/jgalloway/archive/2011/04/28/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net.aspx

Categories

Resources