Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

replace location.href references with a centralized method so we can …

…address #4787
  • Loading branch information...
commit 4348eac153d6cc7da29797a30e6d44549e09f2eb 1 parent 40735e2
@johnbender johnbender authored
View
2  js/jquery.mobile.init.js
@@ -88,7 +88,7 @@ define( [ "jquery", "./jquery.mobile.core", "./jquery.mobile.support", "./jquery
// Store the initial destination
if ( $.mobile.path.isHashValid( location.hash ) ) {
- $.mobile.urlHistory.initialDst = $.mobile.path.parseUrl( location.href ).hash.replace( "#", "" );
+ $.mobile.urlHistory.initialDst = $.mobile.path.parseLocation().hash.replace( "#", "" );
}
$.mobile.changePage( $.mobile.firstPage, { transition: "none", reverse: true, changeHash: false, fromHashChange: true } );
}
View
15 js/jquery.mobile.navigation.js
@@ -49,6 +49,17 @@ define( [
//
urlParseRE: /^(((([^:\/#\?]+:)?(?:(\/\/)((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?\]\[]+|\[[^\/\]@#?]+\])(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/,
+ // Abstraction to address xss (Issue #4787) in browsers that auto decode location.href
+ // All references to location.href should be replaced with a call to this method so
+ // that it can be dealt with properly here
+ getLocation: function() {
+ return window.location.toString();
+ },
+
+ parseLocation: function() {
+ return this.parseUrl( this.getLocation() );
+ },
+
//Parse a URL into a structure that allows easy access to
//all of the URL components by name.
parseUrl: function( url ) {
@@ -369,7 +380,7 @@ define( [
$base = $head.children( "base" ),
//tuck away the original document URL minus any fragment.
- documentUrl = path.parseUrl( location.href ),
+ documentUrl = path.parseLocation(),
//if the document has an embedded base tag, documentBase is set to its
//initial value. If a base tag does not exist, then we default to the documentUrl.
@@ -1500,7 +1511,7 @@ define( [
$window.bind( "hashchange", function( e, triggered ) {
// Firefox auto-escapes the location.hash as for v13 but
// leaves the href untouched
- $.mobile._handleHashChange( path.parseUrl(location.href).hash );
+ $.mobile._handleHashChange( path.parseLocation().hash );
});
//set page min-heights to be device specific
View
10 js/jquery.mobile.navigation.pushstate.js
@@ -12,7 +12,7 @@ define( [ "jquery", "./jquery.mobile.navigation", "depend!./jquery.hashchange[jq
var pushStateHandler = {},
self = pushStateHandler,
$win = $( window ),
- url = $.mobile.path.parseUrl( location.href ),
+ url = $.mobile.path.parseLocation(),
mobileinitDeferred = $.Deferred(),
domreadyDeferred = $.Deferred();
@@ -35,7 +35,7 @@ define( [ "jquery", "./jquery.mobile.navigation", "depend!./jquery.hashchange[jq
state: function() {
return {
// firefox auto decodes the url when using location.hash but not href
- hash: $.mobile.path.parseUrl( location.href ).hash || "#" + self.initialFilePath,
+ hash: $.mobile.path.parseLocation().hash || "#" + self.initialFilePath,
title: document.title,
// persist across refresh
@@ -74,9 +74,9 @@ define( [ "jquery", "./jquery.mobile.navigation", "depend!./jquery.hashchange[jq
var href, state,
// firefox auto decodes the url when using location.hash but not href
- hash = $.mobile.path.parseUrl( location.href ).hash,
+ hash = $.mobile.path.parseLocation().hash,
isPath = $.mobile.path.isPath( hash ),
- resolutionUrl = isPath ? location.href : $.mobile.getDocumentUrl();
+ resolutionUrl = isPath ? $.mobile.path.getLocation() : $.mobile.getDocumentUrl();
hash = isPath ? hash.replace( "#", "" ) : hash;
@@ -141,7 +141,7 @@ define( [ "jquery", "./jquery.mobile.navigation", "depend!./jquery.hashchange[jq
// if there's no hash, we need to replacestate for returning to home
if ( location.hash === "" ) {
- history.replaceState( self.state(), document.title, location.href );
+ history.replaceState( self.state(), document.title, $.mobile.path.getLocation() );
}
}
});
Please sign in to comment.
Something went wrong with that request. Please try again.