views:

91

answers:

5

Hi,

I have a page that is supposed to display a larger version of an image when hovered over a thumbnail.

I have a 'div' with an ID and the JQuery code is as following:

$(document).ready(function(){

  $('img').hover(function() {

    var src = $("#im" + this.id).attr("src");
    $('#viewlarge').css('backgroundImage','url(' + src +')'); 
    return false;
  });

});

The images I use, are generated by a Ruby script that "generate" an image with a similar, yet different id. However, sometimes, photo's are uploaded that have "spaces" inside. My developer tools tell me that the background-image is not set correctly, yet the image path is correct and the browser don't have problems finding the image.

My question is, can I somehow sanitize the url 'src', so spaces won't be a problem? I am aware of doing this server side, yet I would like to know how to do this with JQuery/JS too.

Thanks!

A: 

Use Javascript encode function to encode your 'src'

E.g.

$('#viewlarge').css('backgroundImage','url(' + encode(src) +')'); 

I think you can also use Javascript 'escape' function as well

$('#viewlarge').css('backgroundImage','url(' + escape(src) +')');
J Angwenyi
Deprecated. Use encodeURIComponent
David Dorward
`encode` is deprecated, because of its lack of unicode support. `encodeURI` and `encodeURIComponent` are recommended replacements.
Andy E
encodeURI, how can I use that? Same as the encode() method?
Shyam
There's no such thing as `encode`. `escape` exists but is the wrong thing.
bobince
@bobince: *facepalm* I totally missed that and confused the two. `escape` was edited in afterwards. *someone put the kettle on!*
Andy E
Errr.. confused now :S
Shyam
@Shyam: in short, don't use `escape`.
Andy E
+3  A: 

Adding quotes around the URL should help:

  $('#viewlarge').css('backgroundImage','url("' + src +'")'); 

however, according to the W3C specs, white space must be escaped, so the URL encoding solution provided by @Andy E's head @bobince is the safest one.

Pekka
That would only help if the variable contained brackets. The question indicates that spaces are the problem.
David Dorward
@David - That is incorrect, +1 to offset.
Nick Craver
+1 - I was going to add this suggestion to [my answer](http://stackoverflow.com/questions/2856294/css-and-jquery-spaces-inside-image-name-break-code-of-url/2856309#2856309) until I saw you'd posted it.
Andy E
@David - http://stackoverflow.com/questions/2168855/css-url-whats-better Please read the spec before down-voting, you are incorrect: http://www.w3.org/TR/CSS2/syndata.html#value-def-uri
Nick Craver
And after poking at test cases, my vote is locked and I can't remove it. How annoying. It's a fairly weird bit of the spec which copes with broken URIs in an illogical way, but it turns out that it is right. Goes to show that there is always something new to learn. Of course, the "right" solution is still to fix the URI.
David Dorward
@David I edited my question. I agree though that the URI ultimately needs to be encoded, as Andy E and bobince point out.
Pekka
+5  A: 
  • Firstly, why are you letting clients determine the name of your images?
  • Secondly, why aren't you sanitizing them?
  • Thirdly, i suspect you aren't urlencoding the urls when you write them to the html (which would turn a space into a %20)
Andrew Bullock
1. Because they have a freaking scary big database with filepaths. Let's call this a migration issue.2. I will, I am still developing the replacement app.3. I am a n00b, what else can I add ;)
Shyam
cool, what site is it? i'll upload a file with a malformed name and inject javascript into your page and steal your users logins, takover a session and hijack an account, destroy some data and otherwise cause your business epic pain and expense. woo!
Andrew Bullock
* i wont. but someone could!
Andrew Bullock
You can make a point without being sarcastic. My apologies I wasn't born with a 500lbs security manual. Notice also the last sentence of my question. I thank you for highlighting the security issue, I am a bit less thankful for the hostile reply.
Shyam
apologies i didnt mean it in a hostile manner, i was being jovial ;)
Andrew Bullock
No problem, I am also asking this because I love JQuery, but I like to minimize the amount of 'plugins' that take care of these matters. Also, I think it is a good practice to learn how to sanitize with JavaScript too. In the Ruby language, it is normal to consider any data to be tainted that come from an external source.
Shyam
A: 

I would not allow images with spaces in their file names to be uploaded - doesn't seem good practice to me.

matpol
I am forcing that now too.
Shyam
+3  A: 

Spaces are not valid in a URI. They need to be encoded to %20.

You could src.replace(/ /g, '%20'), or more generally, encodeURI(src) to %-encode all characters that aren't valid in a URI. encodeURIComponent(src) is more common, but it would only work if the src was just a single relative filename; otherwise, it'd encode / and stop paths working.

However, the real problem is that the original img src is already broken and only working thanks to browser fixups correcting your error. You need to fix the Ruby script generating the page. You should be URL-encoding the filename before including it in the path; there are many more characters that can cause you problems than just space.

As Pekka said, you should also use quotes around the URL in the url(...) value. Whilst you can get away without them for many URLs, some characters would have to be \-escaped. Using double-quotes mean you can avoid that (no double-quotes can appear in a URL itself).

bobince
+1, I got `encodeURI` and `encodeURIComponent` mixed up in my answer.
Andy E
+1, Thank you for your clear explanation! I am going to try this.
Shyam