Item12179: better initialization of jquery.foswiki

- no more unsafe inline scripts - using JSON to create a proper json object instead of home-grown use of %ENCODE..quote
foswiki · Sep 22, 2015 · f8ede9c · f8ede9c
1 parent e51e7d1
commit f8ede9c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 19 deletions.
diff --git a/JQueryPlugin/lib/Foswiki/Plugins/JQueryPlugin/FOSWIKI.pm b/JQueryPlugin/lib/Foswiki/Plugins/JQueryPlugin/FOSWIKI.pm
@@ -5,6 +5,7 @@ use warnings;
 use Foswiki::Func;
 use Foswiki::Plugins;
 use Foswiki::Plugins::JQueryPlugin::Plugin;
+use JSON();
 our @ISA = qw( Foswiki::Plugins::JQueryPlugin::Plugin );
 
 =begin TML
@@ -66,9 +67,7 @@ sub init {
         $prefs =
 'PUBURL, PUBURLPATH, SCRIPTSUFFIX, SCRIPTURL, SCRIPTURLPATH, SERVERTIME, SKIN, SYSTEMWEB, TOPIC, USERNAME, USERSWEB, WEB, WIKINAME, WIKIUSERNAME, NAMEFILTER';
         $prefs .= ', TWISTYANIMATIONSPEED'
-          if $Foswiki::cfg{Plugins}{TwistyPlugin}
-          {Enabled};    # can't use context during init
-
+          if $Foswiki::cfg{Plugins}{TwistyPlugin}{Enabled};
     }
 
     # init NAMEFILTER
@@ -78,25 +77,16 @@ sub init {
     }
 
     # add exported preferences to head
-    my @prefs = ();
+    my %prefs = ();
     foreach my $pref ( split( /\s*,\s*/, $prefs ) ) {
-        if ( $pref eq 'NAMEFILTER' ) {
-            push @prefs,
-                '    "'
-              . $pref
-              . '": /%ENCODE{"%'
-              . $pref
-              . '%" type="quote"}%/g';
-        }
-        else {
-            push @prefs,
-              '    "' . $pref . '": "%ENCODE{"%' . $pref . '%" type="quote"}%"';
-        }
+        $prefs{$pref} =
+          Foswiki::Func::expandCommonVariables( '%' . $pref . '%' );
     }
+
     my $text =
-"<script type='text/javascript'>\njQuery.extend(foswiki, {\n \"preferences\": {\n"
-      . join( ",\n", @prefs )
-      . "\n}});\n</script>";
+        "<script class='\$zone \$id foswikiPreferences' type='text/config'>"
+      . JSON::to_json( \%prefs, { pretty => 1 } )
+      . "</script>";
 
     Foswiki::Func::addToZone( "script", "JQUERYPLUGIN::FOSWIKI::PREFERENCES",
         $text, "JQUERYPLUGIN::FOSWIKI" );

diff --git a/JQueryPlugin/pub/System/JQueryPlugin/plugins/foswiki/jquery.foswiki.uncompressed.js b/JQueryPlugin/pub/System/JQueryPlugin/plugins/foswiki/jquery.foswiki.uncompressed.js
@@ -234,5 +234,15 @@ var foswiki = foswiki || {
   $(function() {
     /* Remove 'has no javascript' class from body element (written in template). */
     $('body').removeClass('foswikiNoJs').addClass("foswikiJs");
+
+    /* load foswiki preferences */
+    $(".foswikiPreferences").each(function() {
+      $.extend(foswiki.preferences, $.parseJSON($(this).html()));
+    });
+
+    /* special treatment for NAMEFILTER */
+    if (typeof(foswiki.preferences.NAMEFILTER) !== 'undefined') {
+      foswiki.preferences.NAMEFILTER = new RegExp(foswiki.preferences.NAMEFILTER, "g");
+    }
   });
 }(jQuery));