/lib/style/skins/saeon/searchPathQuery.js - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 7678

Added by ben leinfelder almost 11 years ago

escape reserved XML characters when constructing a pathquery from user input (&). https://projects.ecoinformatics.org/ecoinfo/issues/3017

     function encodeXML(theString) {
     	return theString.replace(/&/g, '&amp;')
     		.replace(/</g, '&lt;')
     		.replace(/>/g, '&gt;')
     		.replace(/"/g, '&quot;');
+    }
     function generateQueryString(organizationScope, anyValue, searchFields) {
     	// make sure it is valid XML
     	var searchTerm = encodeXML(anyValue);
     	var queryString = "";
     	queryString += "<pathquery version='1.2'>";
     	queryString += "<returndoctype>metadata</returndoctype>";
-...
     		queryString += "<querygroup operator='UNION'>";
     		for (var i = 0; i < searchFields.length; i++) {
     			queryString += "<queryterm casesensitive='false' searchmode='contains'>";
     			queryString += "<value>" + anyValue + "</value>";
     			queryString += "<value>" + searchTerm + "</value>";
     			queryString += "<pathexpr>" + searchFields[i] +"</pathexpr>";
     			queryString += "</queryterm>";
+    		}
-...
+    	}
     	else {
     		queryString += "<queryterm casesensitive='false' searchmode='contains'>";
     		queryString += "<value>" + anyValue + "</value>";
     		queryString += "<value>" + searchTerm + "</value>";
     		queryString += "</queryterm>";
+    	}

Also available in: Unified diff