Monday, May 20, 2024
Homepage · html
 Popular · Latest · Hot · Upcoming
41
rated 0 times [  47] [ 6]  / answers: 1 / hits: 56821  / 15 Years ago, fri, october 30, 2009, 12:00:00

We've got a menu in out web app that uses <a> tags to load pages in the main frame.



A typical item in the menu would be something like:



<a target=mainframe href=/servlet1?param1=val1&parma2=servlet2?s2p1=val2%26s2p2=val3&param3=val4>Menu Item 1</a>


We needed to add some JavaScript validation before the link is requested so I changed it to: 



<a target=mainframe href=javascript:validate('/servlet1?param1=val1&parma2=servlet2?s2p1=val2%26s2p2=val3&param3=val4')>Menu Item 1</a>


(I know that javascript:function in a link is bad practice but we use a 3rd party library to generate the menu so I can't change this part of the code)



Servlet1 expects:

param1='val1'

param2='servlet2?s2p1=val2%26s2p2=val3'

param3='val4'



Servlet1 then forwards to the value of param2 so Servlet2 expects:

s2p1='val2'

s2p2='val3'



However when I put an alert in my validate function to check what is passed in:



function validate(href) {

    alert(href);



    ...validation code...

}


it is giving:

/servlet1?param1=val1&parma2=servlet2?s2p1=val2**&**s2p2=val3&param3=val4 (note the bold & which was %26 in the above function call)



The %26 is getting converted to an & when it is passed into the JS function which would not normally happen until the request is forwarded to Servlet2. Because the %26 has already been changed to an & the s2p2 request parameter gets picked up by servlet1 instead of servlet2.



Basically my question is why does the %26 get converted to a & at this point just by passing it as a parameter to the function from the href attribute when if you do onClick=validate('/servlet1?param1=val1&parma2=servlet2?s2p1=val2%26s2p2=val3&param3=val4')

it stays as %26 as you'd expect?


More From » html
 Answers
1 
<a target=mainframe href=javascript:validate('/servlet1?param1=val1&parma2=servlet2?s2p1=val2%26s2p2=val3&param3=val4')>Menu Item 1</a>


Urgh. You have a URL, embedded in a URL, all embedded in another URL! That's too many levels of escaping for the human mind to cope with.This:



javascript:validate('/servlet1?param1=val1&parma2=servlet2?s2p1=val2%26s2p2=val3&param3=val4')


is itself a URL. Albeit a javascript: pseudo-URL, which you should never use. It is decoded to the JavaScript command:



validate('/servlet1?param1=val1&parma2=servlet2?s2p1=val2&s2p2=val3&param3=val4')


at which point you have already lost the %26. Now when you use that as a URL itself, it will fail.



Avoid multiple-encoding problems by moving the scripting out into a JavaScript block (or external script) instead of an HTML attribute:



<a target=mainframe class=validateme href=/servlet1?param1=val1&amp;parma2=servlet2?s2p1=val2%26s2p2=val3&amp;param3=val4>Menu Item 1</a>


(Note here also the necessary HTML-escaping of ampersands.) Then from script do:



// find 'validateme' links and add event handler

//

for (var i= document.links; i-->0;)

    if (document.links[i].className==='validateme')

        document.links[i].onclick= validate;


Then in your validate function simply return true if all is OK and you want the link to be followed, or false to stop it.


[#98412] Tuesday, October 27, 2009, 15 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
bryantc
Add To Favorites
Follow
Total Points: 455
Total Questions: 96
Total Answers: 110
Location: San Marino
Member since Thu, Jun 30, 2022
2 Years ago
bryantc questions
Tue, Dec 7, 21, 00:00, 3 Years ago
Fri, Aug 13, 21, 00:00, 3 Years ago
Tue, Mar 30, 21, 00:00, 3 Years ago
Fri, Jun 5, 20, 00:00, 4 Years ago
Wed, May 27, 20, 00:00, 4 Years ago
View All
;