Item13741: add ability to have multiple encode options in URLPARAM

foswiki · Sep 22, 2015 · f3c15a5 · f3c15a5
1 parent 18eceba
commit f3c15a5
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 36 deletions.
diff --git a/UnitTestContrib/test/unit/Fn_URLPARAM.pm b/UnitTestContrib/test/unit/Fn_URLPARAM.pm
@@ -104,6 +104,20 @@ sub test_encode {
       $this->{test_topicObject}
       ->expandMacros('%URLPARAM{"foo" default="bar" encode="none"}%');
     $this->assert_str_equals( '<evil script>\'\"%', $str );
+
+    $this->{request}->param( -name => 'foo', -value => '<evil "script">\'\"%' );
+    $str =
+      $this->{test_topicObject}
+      ->expandMacros('%URLPARAM{"foo" default="bar" encode="quote safe"}%');
+    $this->assert_str_equals(
+        '&#60;evil \&#34;script\&#34;&#62;&#39;\\\\&#34;&#37;', $str );
+
+    $this->{request}->param( -name => 'foo', -value => '<evil "script">\'\"%' );
+    $str =
+      $this->{test_topicObject}
+      ->expandMacros('%URLPARAM{"foo" default="bar" encode="safe quote"}%');
+    $this->assert_str_equals(
+        '&#60;evil &#34;script&#34;&#62;&#39;\\&#34;&#37;', $str );
 }
 
 sub test_defaultencode {

diff --git a/core/data/System/VarURLPARAM.txt b/core/data/System/VarURLPARAM.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1434650530" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1442930527" format="1.1" version="1"}%
 %META:TOPICPARENT{name="Macros"}%
 ---+ URLPARAM -- get URL or HTTP POST parameter value
 Returns the value of the named parameter in the URL or HTTP POST request.
@@ -8,15 +8,15 @@ Returns the value of the named parameter in the URL or HTTP POST request.
      | ="name"= | The name of a URL parameter | required |
      | =default= | Default value, used if the parameter is not present | =""= |
      | =newline= | Convert newlines in textarea to other delimiters | |
-     | =encode= | Control how special characters are encoded <br /> ="off"= - No encoding. Avoid using this when possible. See the security warning below. <br /> ="entity"= - Encode special characters into HTML entities. See [[VarENCODE][ENCODE]] for more details. <br /> ="safe"= - Encode characters ='"&lt;&gt;%= into HTML entities. <br /> ="url"= - Encode special characters for URL parameter use, like a double quote into =%22= <br /> ="quote"= - Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros. | =safe= |
+     | =encode= | Control how special characters are encoded <br /> ="off"= - No encoding. Avoid using this when possible. See the security warning below. <br /> ="entity"= - Encode special characters into HTML entities. See [[VarENCODE][ENCODE]] for more details. <br /> ="safe"= - Encode characters ='"&lt;&gt;%= into HTML entities. <br /> ="url"= - Encode special characters for URL parameter use, like a double quote into =%22= <br /> ="quote"= - Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other macros. you can combine several encodings together, and they will be applied in the order you specify e.g. =encode="quote safe" | =safe= |
      | =multiple= | If set, gets all selected elements of a =&lt;select multiple="multiple"&gt;= tag. Can be set to a format string, with =$item= indicating the element, e.g. =multiple="Option: $item"= (also supports the standard [[format tokens]]) | first element |
      | =separator= | Separator between multiple selections. Only relevant if multiple is specified | =$n= (new line) |
 ---++ Examples
 =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%INCLUDINGTOPIC%?skin=print= URL
 <div class="foswikiHelp">
 %H% URL parameters passed into HTML form fields must be [[VarENCODE][entity encoded]].
 
-%H% Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quote" }%" noheader="on" }%=
+%H% Double quotes in URL parameters must be escaped when passed into other macros.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quote safe" }%" noheader="on" }%=
 
 %H% When used in a template topic, this macro will be expanded when the template is used to create a new topic. See TemplateTopics#TemplateTopicsVars for details.
 

diff --git a/core/data/System/WebSearch.txt b/core/data/System/WebSearch.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1432417054" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1442930527" format="1.1" version="1"}%
 %META:TOPICPARENT{name="WebHome"}%
 %IF{
 	"$'URLPARAM{tab}'='search' OR $'URLPARAM{tab}'='' AND NOT $TAB='advanced'" 
@@ -238,23 +238,23 @@
 	then="<h2>%MAKETEXT{"Search results"}%</h2>
 $percentINCLUDE{$quot%SYSTEMWEB%.%TOPIC%$quot section=$quotsearchfeed$quot}$percent"
 }%%SEARCH{
-	"%URLPARAM{"search" encode="quote"}%"
+	"%URLPARAM{"search" encode="safe quote"}%"
 	type="%URLPARAM{"type" default="word"}%"
-	scope="%URLPARAM{"scope" encode="quote"}%"
-	web="%URLPARAM{"web" encode="quote"}%"%IF{
+	scope="%URLPARAM{"scope" encode="safe quote"}%"
+	web="%URLPARAM{"web" encode="safe quote"}%"%IF{
 		"{EnableHierarchicalWebs}"
-		then="recurse=\"%URLPARAM{"recurse" encode="quote"}%\""
+		then="recurse=\"%URLPARAM{"recurse" encode="safe quote"}%\""
 	}%
-    topic="%URLPARAM{"searchtopic" encode="quote"}%"
-	excludetopic="%URLPARAM{"excludetopic" encode="quote"}%"
-	nosearch="%URLPARAM{"nosearch" encode="quote"}%"
-	casesensitive="%URLPARAM{"casesensitive" encode="quote"}%"
-	nosummary="%URLPARAM{"nosummary" encode="quote"}%"
-	nototal="%URLPARAM{"nototal" encode="quote"}%"
-	order="%URLPARAM{"order" encode="quote"}%"
-	reverse="%URLPARAM{"reverse" encode="quote"}%"
+    topic="%URLPARAM{"searchtopic" encode="safe quote"}%"
+	excludetopic="%URLPARAM{"excludetopic" encode="safe quote"}%"
+	nosearch="%URLPARAM{"nosearch" encode="safe quote"}%"
+	casesensitive="%URLPARAM{"casesensitive" encode="safe quote"}%"
+	nosummary="%URLPARAM{"nosummary" encode="safe quote"}%"
+	nototal="%URLPARAM{"nototal" encode="safe quote"}%"
+	order="%URLPARAM{"order" encode="safe quote"}%"
+	reverse="%URLPARAM{"reverse" encode="safe quote"}%"
 	pager="on"
-	limit="%URLPARAM{"limit" encode="quote" default="%DEFAULTPAGESIZE%"}%"
+	limit="%URLPARAM{"limit" encode="safe quote" default="%DEFAULTPAGESIZE%"}%"
 	pagesize="%DEFAULTPAGESIZE%"
 	zeroresults="%IF{
 		"defined search and $search!=''"
@@ -284,7 +284,7 @@ $percentINCLUDE{$quot%SYSTEMWEB%.%TOPIC%$quot section=$quotsearchfeed$quot}$perc
 %MAKETEXT{"To display the above search results in a topic, copy-paste the following markup:"}%
 <pre class='tml'>
 %<nop>SEARCH{
-   "%URLPARAM{"search" encode="quote"}%"
+   "%URLPARAM{"search" encode="safe quote"}%"
    type="%URLPARAM{"type" default="%SEARCHDEFAULTTTYPE%"}%"%FORMAT{
       "scope,web,recurse,nosearch,casesensitive,nosummary,nototal,order,reverse,limit,search"
       type="string"

diff --git a/core/lib/Foswiki/Macros/URLPARAM.pm b/core/lib/Foswiki/Macros/URLPARAM.pm
@@ -66,26 +66,25 @@ sub _handleURLPARAMValue {
 
     if ( defined $value ) {
         $value =~ s/\r?\n/$newLine/g if ( defined $newLine );
-        if ( $encode =~ m/^entit(y|ies)$/i ) {
-            $value = entityEncode($value);
-        }
-        elsif ( $encode =~ m/^quotes?$/i ) {
-            $value =~
-              s/\"/\\"/g;    # escape quotes with backslash (Bugs:Item3383 fix)
-        }
-        elsif ( $encode =~ m/^(off|none)$/i ) {
+        foreach my $e ( split( /\s+/, $encode ) ) {
+            if ( $e =~ m/entit(y|ies)/i ) {
+                $value = entityEncode($value);
+            }
+            elsif ( $e =~ m/^quotes?$/i ) {
+                $value =~
+                  s/\"/\\"/g; # escape quotes with backslash (Bugs:Item3383 fix)
+            }
+            elsif ( $e =~ m/^url$/i ) {
 
-            # no encoding
-        }
-        elsif ( $encode =~ m/^url$/i ) {
+                # Legacy, see ENCODE
+                #$value =~ s/\r*\n\r*/<br \/>/;
+                $value = urlEncode($value);
+            }
+            elsif ( $e =~ m/^safe$/i ) {
 
-            # Legacy, see ENCODE
-            #$value =~ s/\r*\n\r*/<br \/>/;
-            $value = urlEncode($value);
-        }
-        else {    # safe or default
-                  # entity encode ' " < > and %
-            $value =~ s/([<>%'"])/'&#'.ord($1).';'/ge;
+                # entity encode ' " < > and %
+                $value =~ s/([<>%'"])/'&#'.ord($1).';'/ge;
+            }
         }
     }
     unless ( defined $value ) {