selectors via jquery - javascript

Is there any way to write the following code working with innerHTML in the compact platform-independent way (probably using jquery)?
The point is that IE names tags in different case in innerHTML, so I need two if clauses to handle that. toLowerCase does not help when it comes to quotes.
var flagpos = html.indexOf('</a>')
if (flagpos == -1) flagpos = html.indexOf('</A>')
html = (flagpos >= 0) ?
'<span class="' + html.substr(flagpos + 4).
replace(/^\s*|\s*$/, '').
replace(/ /g, '"></span><span class="') +
'"></span>' + res + ' ' + html.substr(0, flagpos + 4) : res + ' ' + html
-- or --
if (!toggleFlags[j] ||
child.innerHTML.indexOf('<span class="' + j + '">') >= 0 ||
child.innerHTML.indexOf('<SPAN class=' + j + '>') >= 0) continue

You could use String.search() instead of String.indexOf() to make your patterns case-insensitive (since you don't need an offset): var flagpos = html.search(/<\/a>/i);
what's stopping you from doing $html = $(html); and using the jQuery Traversing API?

Just use
var whoCares = child.innerHTML.toUpperCase();
Then you can always compare with UPPER CASE tag names. (Or, use ".toLowerCase()" instead.) Of course that'll convert all the alphabetic characters to upper case (or lower case, as the case may be), so you'll have to do:
if (!toggleFlags[j] || child.innerHTML.toUpperCase().indexOf('<SPAN CLASS=' + j.toUpperCase() + '>'))
Yet another totally different approach is to stop looking for elements via the raw (or, rather, reconstituted) HTML, and use a selector (which maybe was the point of your question :-):
if (!toggleFlags[j] || child.find('span.' + j).length > 0) {
// whatever
}

Related

I keep getting gt; when using substring or slice

I'm building a video player with playlist and using symbol ">" to indicate which video is currently playing. I have the following function:
player.onended = function () {
pl.childNodes[curVideo + 1].childNodes[0].innerHTML = pl.childNodes[curVideo + 1].childNodes[0].innerHTML.slice(1);
++curVideo;
if (playlist.length == 0) {
player.setAttribute("src", "");
}
else if (curVideo < playlist.length) {
player.setAttribute("src", playlist[curVideo]);
pl.childNodes[curVideo + 1].childNodes[0].innerHTML = ">" + pl.childNodes[curVideo + 1].childNodes[0].innerHTML;
} else {
curVideo = 0;
player.setAttribute("src", playlist[curVideo]);
pl.childNodes[curVideo + 1].childNodes[0].innerHTML = ">" + pl.childNodes[curVideo + 1].childNodes[0].innerHTML;
}
}
I'm not changing this string anywhere else in the code, but when I delete this ">" with slice or substring instead of getting string without it I get this symbol replaced by "gt;".
Before deletion:
>htt://commondatastorage.googleapis.com/gtv-videos-bucket/sample/ForBiggerFun.mp4
After deletion:
gt;htt://commondatastorage.googleapis.com/gtv-videos-bucket/sample/ForBiggerFun.mp4
You're assuming that > will come back to you as >. It isn't in your example, it's coming back to you as the named character reference > instead. Remember, innerHTML is HTML. It's not strictly necessary to use a named character entity for > in most cases, but it's not uncommon.
This may or may not be reliable cross-browser, so to remove it, I'd probably do this if you need to work with innerHTML:
l.childNodes[curVideo + 1].childNodes[0].innerHTML =
pl.childNodes[curVideo + 1].childNodes[0].innerHTML.replace(/^(?:>|\>)/, "");
// ----------------------------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...which will remove it at the beginning of the string whether it comes back as > or >.
Alternately, use innerText or textContent, so you're not dealing with HTML.
Fixed by using innerText property instead of innerHTML

Javascript syntax error? "Unexpected Indentifier"

sorry I just started with javascrippt and html and I am having trouble finding out what the unexpected identifier is?
here is my function
function fillSearchPlayer(data){
$('#searchPlayers tbody').html('');
for (var i = data.length - 1; i >= 0; i--) {
var p = data[i]
var item = '<tr><td>'p.firstname + ' ' + p.lastname'</td><td>'p.job'</td><td><button class="cbtn" onclick="requestPlayer("'+ p.identifier + '")">More</button></td></tr>'
$('#searchPlayers tbody').append('item');
}
}
maybe you guys could help me, it's saying its coming from the line that starts with "var item"
'<tr><td>'p.firstname look like you missed a plus sign over there. The other thing is .append('item'); - you probably intented to do .append(item);.
As the guys mentioned in the direct comments above you should try to use some templating engine instead of constructing the strings the way you did it.
I would recommend you to read these pieces:
Handlebars - simple and convenient template engine in JavaScript - give it a try!
Template strings in ES2016 - a cleaner way to do what you did with manual string concatenation
There are several errors. String concatenation works with +, and you're missing a semicolon.
Try:
function fillSearchPlayer(data) {
$('#searchPlayers tbody').html('');
for (var i = data.length - 1; i >= 0; i--) {
var p = data[i];
var item = '<tr><td>' + p.firstname + ' ' + p.lastname + '</td><td>' + p.job + '</td><td><button class="cbtn" onclick="requestPlayer("'+ p.identifier + '")">More</button></td></tr>';
$('#searchPlayers tbody').append('item');
}
}
The var item = ... item mixes variable and literal definitions without the real concatenation going on. Just put a + between each varying element to achieve your goal.
You need to enclose the concatenation operator around the p.job variable.
Your assignment should look like this...
var item = '<tr><td>'+p.firstname + ' ' + p.lastname+'</td><td>'+p.job+'</td><td><button class="cbtn" onclick=requestPlayer('+ p.identifier + ')>More</button></td></tr>'

Join syntax in javascript

Please suggest me how to play with Join in javascript.
My Code
var multiTokenQuery = value.join(',');
submitted.set('multiTokenQuery', multiTokenQuery);
alert(multiTokenQuery);
the above code shows (abc,bcd) but I want it in ('abc','bcd') I mean I need single qoutes on the values ...
Please Help
Change the glue in the bits:
var multiTokenQuery = value != null && value.length > 0 ? "'" + value.join("','") + "'" : value;
You'd like to use the following instead to get your quotes.
var value = ['test','sample','example'];
var multiTokenQuery = "'" + value.join("','") + "'";
alert(multiTokenQuery);
JSFiddle: http://jsfiddle.net/FJUJ9/1/

ASP Classic filter for "onmouseover" keyword xss

It's a redundent question on the Internet, but yet, no simple answer. I know I won't get rid of all XSS simply by filtering, but I'd like to start with it. I am currently working on ASP Classic project with server code written in JScript (not the usual VBScript). We found that we were vulnerable to some XSS attack. One is pretty tough to get rid of, since I am not a javascript master. When you use a URL like the one below, the attack is succesfull.
http://mysite/default.asp?NumVol=%20onmouseover=%22alert%28document.cookie%29%22%20style=%22font-size:999999999999px;%22%20href=
I tried the HTMLEncode, the replace method on the NumVol parameter string... But it still displays the cookie. All I'm looking for is a small replace method, a regex or whatever simple thing to manage that particular case.
This is an old production app and they don't want to spend much time on it. Just some security basics. We are definitely not instaling a library that rely on .NET (like OWASP) to fix this for now, because we will rebuild the app in .NET soon.
EDIT
Here is a sample code that I tried. You can see that I use HTMLEncole plus some filters with a "replace". The "%" char is there, but it doesn't work, since the onmouseover is written. What I need is a syntax exemple (regex or someting) in Javacript that I can apply in that case.
var sPage = "" + Request.ServerVariables ( "SCRIPT_NAME" );
var NumVol = Request.QueryString("NumVol");
var comp = Request.QueryString("comp")
var nav = Request.QueryString("nav");
var NoEle = Request.QueryString("NoEle");
var NoCons = Request.QueryString("NoCons");
if (Lg=="en") {
var pageSourceValid = Server.HTMLEncode(sPage + "?Lg=fr");
Response.Write("<a href=");
if ((NumVol+"" != "undefined") && (NumVol+"" != "")) {
pageSourceValid += "&NumVol=" + NumVol.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
}
if ((nav+"" != "undefined") && (nav+"" != "")) {
pageSourceValid += "&nav=" + nav.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"") + "";
}
if ((comp+"" != "undefined") && (comp+"" != "")) {
pageSourceValid += "&comp=" + comp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"") + "";
}
if ((NoEle+"" != "undefined") && (NoEle+"" != "")) {
pageSourceValid += "&NoEle=" + NoEle.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"") + "";
}
if ((NoCons+"" != "undefined") && (NoCons+"" != "")) {
pageSourceValid += "&NoCons=" + NoCons.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"") + "";
}
Response.Write(Server.HTMLEncode(pageSourceValid));
Response.Write (" class=lienBanniere>");
Response.Write ("Français");
Response.Write ("</a>");
}
Use html attribute escaping and html escaping when you output the value.
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Adding and remove items from a string without using arrays

I am trying to add and remove things in a string with using arrays. However this following script I created is not working as it doesn't remove numbers that have been submitted:
function updateCCList(id)
{
var MemberClicked = '[' + id + ']';
var ListClickedMembers = document.frmSendMail.hidSenderList.value;
if(ListClickedMembers.indexOf(MemberClicked) == -1)
{
ListClickedMembers += MemberClicked;
}
else
{
ListClickedMembers = ListClickedMembers.replace(/' + MemberClicked + '/g,'');
}
alert(ListClickedMembers);
document.frmSendMail.hidSenderList.value += ListClickedMembers;
}
Any idea what is wrong?
Many thanks,
Paul
The main problem:
ListClickedMembers = ListClickedMembers.replace(/' + MemberClicked + '/g,'');
The first RegExp there looks bad. I think you mean new RegExp('\\['+id+'\\]')
In case you care about avoiding duplicate entries:
document.frmSendMail.hidSenderList.value += ListClickedMembers;
You don't need += there, = will suffice.

Categories