Item13741: make encode a comma-separated list

foswiki · Sep 24, 2015 · 8519f70 · 8519f70
1 parent d6e008e
commit 8519f70
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 19 deletions.
diff --git a/UnitTestContrib/test/unit/Fn_URLPARAM.pm b/UnitTestContrib/test/unit/Fn_URLPARAM.pm
@@ -108,14 +108,14 @@ sub test_encode {
     $this->{request}->param( -name => 'foo', -value => '<evil "script">\'\"%' );
     $str =
       $this->{test_topicObject}
-      ->expandMacros('%URLPARAM{"foo" default="bar" encode="quote safe"}%');
+      ->expandMacros('%URLPARAM{"foo" default="bar" encode="quote, safe"}%');
     $this->assert_str_equals(
         '&#60;evil \&#34;script\&#34;&#62;&#39;\\\\&#34;&#37;', $str );
 
     $this->{request}->param( -name => 'foo', -value => '<evil "script">\'\"%' );
     $str =
       $this->{test_topicObject}
-      ->expandMacros('%URLPARAM{"foo" default="bar" encode="safe quote"}%');
+      ->expandMacros('%URLPARAM{"foo" default="bar" encode="safe, quote"}%');
     $this->assert_str_equals(
         '&#60;evil &#34;script&#34;&#62;&#39;\\&#34;&#37;', $str );
 }

diff --git a/core/data/System/VarURLPARAM.txt b/core/data/System/VarURLPARAM.txt
@@ -8,15 +8,21 @@ Returns the value of the named parameter in the URL or HTTP POST request.
      | ="name"= | The name of a URL parameter | required |
      | =default= | Default value, used if the parameter is not present | =""= |
      | =newline= | Convert newlines in textarea to other delimiters | |
-     | =encode= | Control how special characters are encoded <br /> ="off"= - No encoding. Avoid using this when possible. See the security warning below. <br /> ="entity"= - Encode special characters into HTML entities. See [[VarENCODE][ENCODE]] for more details. <br /> ="safe"= - Encode characters ='"&lt;&gt;%= into HTML entities. <br /> ="url"= - Encode special characters for URL parameter use, like a double quote into =%22= <br /> ="quote"= - Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros. you can combine several encodings together, and they will be applied in the order you specify e.g. =encode="quote safe" | =safe= |
+     | =encode= | Control how special characters are encoded <br /> ="off"= - No encoding. Avoid using this when possible. See the security warning below. <br />\
+                  ="entity"= - Encode special characters into HTML entities. See [[VarENCODE][ENCODE]] for more details. <br /> \
+                  ="safe"= - Encode characters ='"&lt;&gt;%= into HTML entities. <br />\
+                  ="url"= - Encode special characters for URL parameter use, like a double quote into =%22= <br />\
+                  ="quote"= - Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros. \
+                  You can combine several encodings together, and they will be applied in the order you specify e.g. =encode="safe, quote"= | =safe= |
      | =multiple= | If set, gets all selected elements of a =&lt;select multiple="multiple"&gt;= tag. Can be set to a format string, with =$item= indicating the element, e.g. =multiple="Option: $item"= (also supports the standard [[format tokens]]) | first element |
      | =separator= | Separator between multiple selections. Only relevant if multiple is specified | =$n= (new line) |
 ---++ Examples
 =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%INCLUDINGTOPIC%?skin=print= URL
+
 <div class="foswikiHelp">
 %H% URL parameters passed into HTML form fields must be [[VarENCODE][entity encoded]].
 
-%H% Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quote safe" }%" noheader="on" }%=
+%H% Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="safe, quote" }%" noheader="on" }%=
 
 %H% When used in a template topic, this macro will be expanded when the template is used to create a new topic. See TemplateTopics#TemplateTopicsVars for details.
 

diff --git a/core/data/System/WebSearch.txt b/core/data/System/WebSearch.txt
@@ -238,23 +238,23 @@
 	then="<h2>%MAKETEXT{"Search results"}%</h2>
 $percentINCLUDE{$quot%SYSTEMWEB%.%TOPIC%$quot section=$quotsearchfeed$quot}$percent"
 }%%SEARCH{
-	"%URLPARAM{"search" encode="safe quote"}%"
+	"%URLPARAM{"search" encode="safe, quote"}%"
 	type="%URLPARAM{"type" default="word"}%"
-	scope="%URLPARAM{"scope" encode="safe quote"}%"
-	web="%URLPARAM{"web" encode="safe quote"}%"%IF{
+	scope="%URLPARAM{"scope" encode="safe, quote"}%"
+	web="%URLPARAM{"web" encode="safe, quote"}%"%IF{
 		"{EnableHierarchicalWebs}"
-		then="recurse=\"%URLPARAM{"recurse" encode="safe quote"}%\""
+		then="recurse=\"%URLPARAM{"recurse" encode="safe, quote"}%\""
 	}%
-    topic="%URLPARAM{"searchtopic" encode="safe quote"}%"
-	excludetopic="%URLPARAM{"excludetopic" encode="safe quote"}%"
-	nosearch="%URLPARAM{"nosearch" encode="safe quote"}%"
-	casesensitive="%URLPARAM{"casesensitive" encode="safe quote"}%"
-	nosummary="%URLPARAM{"nosummary" encode="safe quote"}%"
-	nototal="%URLPARAM{"nototal" encode="safe quote"}%"
-	order="%URLPARAM{"order" encode="safe quote"}%"
-	reverse="%URLPARAM{"reverse" encode="safe quote"}%"
+    topic="%URLPARAM{"searchtopic" encode="safe, quote"}%"
+	excludetopic="%URLPARAM{"excludetopic" encode="safe, quote"}%"
+	nosearch="%URLPARAM{"nosearch" encode="safe, quote"}%"
+	casesensitive="%URLPARAM{"casesensitive" encode="safe, quote"}%"
+	nosummary="%URLPARAM{"nosummary" encode="safe, quote"}%"
+	nototal="%URLPARAM{"nototal" encode="safe, quote"}%"
+	order="%URLPARAM{"order" encode="safe, quote"}%"
+	reverse="%URLPARAM{"reverse" encode="safe, quote"}%"
 	pager="on"
-	limit="%URLPARAM{"limit" encode="safe quote" default="%DEFAULTPAGESIZE%"}%"
+	limit="%URLPARAM{"limit" encode="safe, quote" default="%DEFAULTPAGESIZE%"}%"
 	pagesize="%DEFAULTPAGESIZE%"
 	zeroresults="%IF{
 		"defined search and $search!=''"
@@ -284,7 +284,7 @@ $percentINCLUDE{$quot%SYSTEMWEB%.%TOPIC%$quot section=$quotsearchfeed$quot}$perc
 %MAKETEXT{"To display the above search results in a topic, copy-paste the following markup:"}%
 <pre class='tml'>
 %<nop>SEARCH{
-   "%URLPARAM{"search" encode="safe quote"}%"
+   "%URLPARAM{"search" encode="safe, quote"}%"
    type="%URLPARAM{"type" default="%SEARCHDEFAULTTTYPE%"}%"%FORMAT{
       "scope,web,recurse,nosearch,casesensitive,nosummary,nototal,order,reverse,limit,search"
       type="string"

diff --git a/core/lib/Foswiki/Macros/URLPARAM.pm b/core/lib/Foswiki/Macros/URLPARAM.pm
@@ -66,7 +66,7 @@ sub _handleURLPARAMValue {
 
     if ( defined $value ) {
         $value =~ s/\r?\n/$newLine/g if ( defined $newLine );
-        foreach my $e ( split( /\s+/, $encode ) ) {
+        foreach my $e ( split( /\s*,\s*/, $encode ) ) {
             if ( $e =~ m/entit(y|ies)/i ) {
                 $value = entityEncode($value);
             }