New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unescaped js string #1414
Comments
Do you use classic or modern interface? |
I'm using classic interface, I admit I didn't even know there was a modern i/f ! { I believe/hope this provide all the necessary info. |
Just tested with modern interface, it still fail but differently, using modern the new page/tab opened by the link point to: So, the url is truncated at the first single quote. |
Imho you can't make any assumption on what is and what is not in a filename. In the case of a recording, you can have something like:
but it could also be something that is downloaded. The name should be properly URL encoded if it is used in a URL, and that includes all special chareacters, not only spaces. So the name needs to be urllib quoted... |
Imho there is a difference between "characters not allowed in a filename" (which is dicated by the filesystem), and "characters not allowed in a URI", which is dictacted by the relevant RFC's. And you shouldn't mix the two. If the URL in the m3u is properly quoted, the characters used in the filename are no longer relevant. Don't fix an issue on the left by tweaking code on the right (and it also doesn't solve the issue with downloaded files). |
I agree with @WanWizard 's statement that you can't make any assumption on what is and what is not in a filename - EPGCache for example still lets through hazardous characters. We should always assume the worst and sanitise by default |
I cannot reproduce this on my box. The result html of the stream button is:
|
Can you please check the filename encoding? |
Yes, the filename encoding is utf8, but since all characters are low ascii (<127) I think it makes little difference. I find it strange that in your box the filename is escaped, in your box is it escaped by the backend service (info.py) or by the js in the browser (openwebif.js)? How does the json from /api/statusifo looks like? (see my second post here) Looking at both (info.py and openwebif.js) in the master branch here in github, I cannot find where the filename is escaped, are you running OpenWebif code from the master branch? |
Yes .. i'm using the latest version from the master here. |
I just installed ATV 7.0 (openatv-7.0-vuduo4kse-20211017_usb) and it fail ("Uncaught SyntaxError: missing ) after argument list" in chrome console) exactly the same as using PLI image. In the browser the relevant (osdicon div) html part is:
From your box, is currservice_filename encoded in the json from /api/statusifo? |
Please provide all files as zip from the recording except the big .TS file. |
test-archive.tar.gz How did you (re)named your 123'".ts test file? |
The stream (download) "button" is fixed and works, the title (tooltip) is still unescaped so it's not displayed correctly (it is truncated) but....that's a minor issue |
Hi, there is an issue in OpenWebif with the link to stream the current service (tooltip "Stream:") located in the top right on the OpenWebif page ("osd" div).
When a recording is played and the filename (i.e. the name of the recorded program/transmission) contains one or more single quotes (that is an apostrophe, so is relatively common in some language) the browser (chrome in my test) console show the error "Uncaught SyntaxError: missing ) after argument list".
The problem is that internally the onclick event call the jumper80() javascript function (remember, when playing a recorded program) with the filename as argument and the filename is not properly escaped, so if it contains a single quote (and potentially other characters?).......it breaks.
For the record I'm using OWIF 1.4.8 with VU+ Suo4K SE with OpenPli 8.1-release build 2021-09-15, last update 2021-10-12, but I think the problem exists in any decoder using OpenWebif.
The text was updated successfully, but these errors were encountered: