From de0fcab5f91b99aef1fabacf2596f79972e15172 Mon Sep 17 00:00:00 2001 From: Dominik Schmidt Date: Mon, 17 Nov 2014 15:56:51 +0100 Subject: [PATCH] Add escape helper method to JSResolver --- src/libtomahawk/resolvers/JSResolver.cpp | 34 ++++++++++++++---------- src/libtomahawk/resolvers/JSResolver.h | 5 ++++ 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/src/libtomahawk/resolvers/JSResolver.cpp b/src/libtomahawk/resolvers/JSResolver.cpp index 5fd752133..e5f1c980e 100644 --- a/src/libtomahawk/resolvers/JSResolver.cpp +++ b/src/libtomahawk/resolvers/JSResolver.cpp @@ -325,7 +325,7 @@ JSResolver::artists( const Tomahawk::collection_ptr& collection ) } QString eval = QString( "artists( '%1' )" ) - .arg( collection->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( collection->name() ) ); QVariantMap m = callOnResolver( eval ).toMap(); if ( m.isEmpty() ) @@ -361,8 +361,8 @@ JSResolver::albums( const Tomahawk::collection_ptr& collection, const Tomahawk:: } QString eval = QString( "albums( '%1', '%2' )" ) - .arg( collection->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( artist->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( collection->name() ) ) + .arg( escape( artist->name() ) ); QVariantMap m = callOnResolver( eval ).toMap(); if ( m.isEmpty() ) @@ -398,9 +398,9 @@ JSResolver::tracks( const Tomahawk::collection_ptr& collection, const Tomahawk:: } QString eval = QString( "tracks( '%1', '%2', '%3' )" ) - .arg( collection->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( album->artist()->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( album->name().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( collection->name() ) ) + .arg( escape( album->artist()->name() ) ) + .arg( escape( album->name() ) ); QVariantMap m = callOnResolver( eval ).toMap(); if ( m.isEmpty() ) @@ -431,7 +431,7 @@ JSResolver::canParseUrl( const QString& url, UrlType type ) if ( d->capabilities.testFlag( UrlLookup ) ) { QString eval = QString( "canParseUrl( '%1', %2 )" ) - .arg( QString( url ).replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) + .arg( escape( QString( url ) ) ) .arg( (int) type ); return callOnResolver( eval ).toBool(); } @@ -462,7 +462,7 @@ JSResolver::lookupUrl( const QString& url ) } QString eval = QString( "lookupUrl( '%1' )" ) - .arg( QString( url ).replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( QString( url ) ) ); QVariantMap m = callOnResolver( eval ).toMap(); if ( m.isEmpty() ) @@ -534,16 +534,16 @@ JSResolver::resolve( const Tomahawk::query_ptr& query ) if ( !query->isFullTextQuery() ) { eval = QString( "resolve( '%1', '%2', '%3', '%4' )" ) - .arg( query->id().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( query->queryTrack()->artist().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( query->queryTrack()->album().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( query->queryTrack()->track().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( query->id() ) ) + .arg( escape( query->queryTrack()->artist() ) ) + .arg( escape( query->queryTrack()->album() ) ) + .arg( escape( query->queryTrack()->track() ) ); } else { eval = QString( "search( '%1', '%2' )" ) - .arg( query->id().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ) - .arg( query->fullTextQuery().replace( "\\", "\\\\" ).replace( "'", "\\'" ) ); + .arg( escape( query->id() ) ) + .arg( escape( query->fullTextQuery() ) ); } QVariantMap m = callOnResolver( eval ).toMap(); @@ -1018,3 +1018,9 @@ JSResolver::callOnResolver( const QString& scriptSource ) "}" ).arg( propertyName ).arg( scriptSource ) ); } + + +QString JSResolver::escape( const QString& source ) +{ + return source.replace( "\\", "\\\\" ).replace( "'", "\\'" ); +} diff --git a/src/libtomahawk/resolvers/JSResolver.h b/src/libtomahawk/resolvers/JSResolver.h index f2163e3d7..3ba555bcf 100644 --- a/src/libtomahawk/resolvers/JSResolver.h +++ b/src/libtomahawk/resolvers/JSResolver.h @@ -111,6 +111,11 @@ private: */ QVariant evaluateJavaScriptInternal( const QString& scriptSource ); + /** + * Escape \ and ' in strings so they are safe to use in JavaScript + */ + static QString escape( const QString& source ); + // encapsulate javascript calls QVariantMap resolverSettings(); QVariantMap resolverUserConfig();