Opened 9 years ago

Closed 9 years ago

#2000 closed Bug (fixed)

# sign is not escaped when uploading a file

Reported by: Dave Brondsema Owned by: Frederico Caldeira Knabben
Priority: Normal Milestone: FCKeditor 2.6
Component: File Browser Version: FCKeditor 2.5.1
Keywords: Confirmed Review+ Cc:

Description

If I have a file with a pound sign # in it, it is not escaped when I upload it. Ticket #182 fixed most escaping issues, but using encodeURI() doesn't escape everything (e.g #). That's actually good since currently it's applied to the whole URI, and for characters like : and / we don't want those escaped in "http://" for example. See http://xkr.us/articles/javascript/encode-compare/ which shows the different encode functions.

My suggestion would be to NOT encode anything in javascript. Rather, update all connectors to encode the file name (and/or url). In php, this would use the rawurlencode() function. Then that fully-encoded file name would be appended to the unencoded domain+directory.

Attachments (1)

2000.patch (1.2 KB) - added by Frederico Caldeira Knabben 9 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 9 years ago by Frederico Caldeira Knabben

Keywords: Confirmed added
Owner: set to Frederico Caldeira Knabben
Status: newassigned

Encoding it in the server side would make things too complex for us, and actually this is something that can be easily solved in the client side, also because the client code is responsible for returning the URL.

I'm attaching a patch for it.

Changed 9 years ago by Frederico Caldeira Knabben

Attachment: 2000.patch added

comment:2 Changed 9 years ago by Frederico Caldeira Knabben

Keywords: Review? added
Milestone: FCKeditor 2.6
Version: FCKeditor 2.5.1

comment:3 Changed 9 years ago by Martin Kou

Keywords: Review+ added; Review? removed

Looks good to me. Since for any URI, the '#' is used for selecting document fragments only, which is useless for our use case (selecting files). So any '#' appearing in the URI can be safely assumed to be part of the file name instead, and thus replacing with '%23' should be safe.

comment:4 Changed 9 years ago by Frederico Caldeira Knabben

Resolution: fixed
Status: assignedclosed

Fixed with [1692]. Click here for more info about our SVN system.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy