From ff1150bb4db3772895be8e4c7291ebb2ff3314f9 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 18 Apr 2016 17:38:14 +0200 Subject: [PATCH] Properly escape URL Fixes https://github.com/owncloud/core/issues/23499 --- settings/js/users/deleteHandler.js | 2 +- settings/tests/js/users/deleteHandlerSpec.js | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/settings/js/users/deleteHandler.js b/settings/js/users/deleteHandler.js index b684aff188..a66e8b07a7 100644 --- a/settings/js/users/deleteHandler.js +++ b/settings/js/users/deleteHandler.js @@ -191,7 +191,7 @@ DeleteHandler.prototype.deleteEntry = function(keepNotification) { payload[dh.ajaxParamID] = dh.oidToDelete; return $.ajax({ type: 'DELETE', - url: OC.generateUrl(dh.ajaxEndpoint+'/'+this.oidToDelete), + url: OC.generateUrl(dh.ajaxEndpoint+'/{oid}',{oid: this.oidToDelete}), // FIXME: do not use synchronous ajax calls as they block the browser ! async: false, success: function (result) { diff --git a/settings/tests/js/users/deleteHandlerSpec.js b/settings/tests/js/users/deleteHandlerSpec.js index 371eae5941..3e7f768e51 100644 --- a/settings/tests/js/users/deleteHandlerSpec.js +++ b/settings/tests/js/users/deleteHandlerSpec.js @@ -132,6 +132,20 @@ describe('DeleteHandler tests', function() { var request = fakeServer.requests[0]; expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid'); }); + it('deletes when deleteEntry is called and escapes', function() { + fakeServer.respondWith(/\/index\.php\/dummyendpoint.php\/some_uid/, [ + 200, + { 'Content-Type': 'application/json' }, + JSON.stringify({status: 'success'}) + ]); + var handler = init(markCallback, removeCallback, undoCallback); + handler.mark('some_uid<>/"..\\'); + + handler.deleteEntry(); + expect(fakeServer.requests.length).toEqual(1); + var request = fakeServer.requests[0]; + expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid%3C%3E%2F%22..%5C'); + }); it('cancels deletion when undo is clicked', function() { var handler = init(markCallback, removeCallback, undoCallback); handler.setNotification(OC.Notification, 'dataid', 'removed %oid entry Undo', undoCallback);