a70b8027e44113dc2e2ea9e27345d4f9def822c6 chmalee Mon Jun 30 12:26:39 2025 -0700 When checking whether to not double encode url values, do not call string replace on non-string values, refs #35799 diff --git src/hg/js/utils.js src/hg/js/utils.js index dca5efc5b28..d510cdd46cd 100644 --- src/hg/js/utils.js +++ src/hg/js/utils.js @@ -1164,43 +1164,45 @@ if (count++ > 0) { retVal += "&"; } var val = varHash[aVar]; if (typeof(val) === 'string' && val.length >= 2 && val.indexOf('[') === 0 && val.lastIndexOf(']') === (val.length - 1)) { var vals = val.substr(1,val.length - 2).split(','); /* jshint loopfunc: true */// function inside loop works and replacement is awkward. $(vals).each(function (ix) { if (ix > 0) retVal += "&"; retVal += aVar + "=" + encodeURIComponent(this); }); - } else { + } else if (typeof(val) === 'string') { // sometimes val is already encoded or partially encoded // the CGI cannot know if user input is double encoded // so test for already encoded characters here and only // encode what we need to retVal += aVar + "=" + val.replace(/(%[0-9A-Fa-f]{2})+|[^%]+/g, (match) => { if (/%[0-9A-Fa-f]{2}/.test(match)) { // Already percent-encoded, leave as-is return match; } // Encode unencoded parts return encodeURIComponent(match); }); + } else { + retVal += aVar + "=" + encodeURIComponent(val); } } return retVal; } function getAllVarsAsUrlData(obj) // DEAD CODE? { // Returns a string in the form of var1=val1&var2=val2... for all inputs and selects in an obj // If obj is undefined then obj is document! return varHashToQueryString(getAllVars(obj)); } /* function popupBox(popit, content, popTitle) {