From 12efdbdeec265ba17a357525735e1d2668b2f276 Mon Sep 17 00:00:00 2001 From: Christian Ebert Date: Fri, 10 Oct 2014 19:09:42 +0100 Subject: [PATCH 1/2] js api: escape & and = in all string config values (#260) Ampersands and equal signs in the static configuration break setups completely, even where they are perfectly legal, like in urls. Instead of trying to catch all properties which may be fed an url, apply reduced escaping to all string values in the configuration. This will not touch any dynamic settings where writing to the Flash object on the html page is not involved, like clip.update({url: "yadda?x=y"}) which is not an issue. It is also not the same as the point blank url encoding which was tried in 3.2.8 to detrimental effect, and therefore had to be backed out. --- .../flowplayer.js/flowplayer-src.js | 36 ++++++++++++------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/core/src/javascript/flowplayer.js/flowplayer-src.js b/core/src/javascript/flowplayer.js/flowplayer-src.js index c216e56..4b61d2c 100644 --- a/core/src/javascript/flowplayer.js/flowplayer-src.js +++ b/core/src/javascript/flowplayer.js/flowplayer-src.js @@ -136,10 +136,27 @@ to[evt].push(fn); } - // escape & and = in config written into flashvars (issue #21) - function queryescape(url) { - return url.replace(/&/g, '%26').replace(/&/g, '%26').replace(/=/g, '%3D'); - } + // recursively cycle through config objects for queryescaping, + // i.e. escape & and = only (issues #21, #260) + // because & and = cannot be written into the Flash object on the page + function queryescape(obj) { + if (typeof obj === "string") { + return obj.replace(/&/g, '%26').replace(/&/g, '%26').replace(/=/g, '%3D'); + } else if (typeof obj === "object") { + if (obj.length) { + each(obj, function (i, item) { + each(item, function (key, val) { + obj[i][key] = queryescape(val); + }); + }); + } else { + each(obj, function (key, val) { + obj[key] = queryescape(val); + }); + } + } + return obj; + } // generates an unique id function makeId() { @@ -980,10 +997,6 @@ function Player(wrapper, params, conf) { conf.clip.url = wrapper.getAttribute("href", 2); } - if (conf.clip.url) { - conf.clip.url = queryescape(conf.clip.url); - } - commonClip = new Clip(conf.clip, -1, self); // playlist @@ -1000,10 +1013,6 @@ function Player(wrapper, params, conf) { clip = {url: "" + clip}; } - if (clip.url) { - clip.url = queryescape(clip.url); - } - // populate common clip properties to each clip each(conf.clip, function(key, val) { if (val !== undefined && clip[key] === undefined && typeof val != 'function') { @@ -1038,6 +1047,9 @@ function Player(wrapper, params, conf) { } }); + // queryescape string values + conf = queryescape(conf); + // plugins each(conf.plugins, function(name, val) { From aae4b2f078f6bc54a5df7f4106976c6d5188a139 Mon Sep 17 00:00:00 2001 From: Christian Ebert Date: Mon, 2 Feb 2015 14:56:45 +0000 Subject: [PATCH 2/2] Compact queryescape substitution (#260) --- core/src/javascript/flowplayer.js/flowplayer-src.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/javascript/flowplayer.js/flowplayer-src.js b/core/src/javascript/flowplayer.js/flowplayer-src.js index 4b61d2c..ce7373b 100644 --- a/core/src/javascript/flowplayer.js/flowplayer-src.js +++ b/core/src/javascript/flowplayer.js/flowplayer-src.js @@ -141,7 +141,7 @@ // because & and = cannot be written into the Flash object on the page function queryescape(obj) { if (typeof obj === "string") { - return obj.replace(/&/g, '%26').replace(/&/g, '%26').replace(/=/g, '%3D'); + return obj.replace(/&(amp;)?/g, '%26').replace(/=/g, '%3D'); } else if (typeof obj === "object") { if (obj.length) { each(obj, function (i, item) {