tags:

views:

91

answers:

5
+2  Q: 

CSS and JQuery: spaces inside image name break code of url()

Hi,

I have a page that is supposed to display a larger version of an image when hovered over a thumbnail.

I have a 'div' with an ID and the JQuery code is as following:

$(document).ready(function(){

  $('img').hover(function() {

    var src = $("#im" + this.id).attr("src");
    $('#viewlarge').css('backgroundImage','url(' + src +')'); 
    return false;
  });

});

The images I use, are generated by a Ruby script that "generate" an image with a similar, yet different id. However, sometimes, photo's are uploaded that have "spaces" inside. My developer tools tell me that the background-image is not set correctly, yet the image path is correct and the browser don't have problems finding the image.

My question is, can I somehow sanitize the url 'src', so spaces won't be a problem? I am aware of doing this server side, yet I would like to know how to do this with JQuery/JS too.

Thanks!

A: 

Use Javascript encode function to encode your 'src'

E.g.

$('#viewlarge').css('backgroundImage','url(' + encode(src) +')');

I think you can also use Javascript 'escape' function as well

$('#viewlarge').css('backgroundImage','url(' + escape(src) +')');
J Angwenyi  2010-05-18 10:20:21
Deprecated. Use encodeURIComponent
David Dorward  2010-05-18 10:22:33
`encode` is deprecated, because of its lack of unicode support. `encodeURI` and `encodeURIComponent` are recommended replacements.
Andy E  2010-05-18 10:22:34
encodeURI, how can I use that? Same as the encode() method?
Shyam  2010-05-18 10:23:35
There's no such thing as `encode`. `escape` exists but is the wrong thing.
bobince  2010-05-18 10:32:09
@bobince: *facepalm* I totally missed that and confused the two. `escape` was edited in afterwards. *someone put the kettle on!*
Andy E  2010-05-18 10:33:52
Errr.. confused now :S
Shyam  2010-05-18 10:49:01
@Shyam: in short, don't use `escape`.
Andy E  2010-05-18 10:57:37
+3  A: 

Adding quotes around the URL should help:

  $('#viewlarge').css('backgroundImage','url("' + src +'")');

however, according to the W3C specs, white space must be escaped, so the URL encoding solution provided by @Andy E's head @bobince is the safest one.

Pekka  2010-05-18 10:20:34
That would only help if the variable contained brackets. The question indicates that spaces are the problem.
David Dorward  2010-05-18 10:21:57
@David - That is incorrect, +1 to offset.
Nick Craver  2010-05-18 10:22:48
+1 - I was going to add this suggestion to [my answer](http://stackoverflow.com/questions/2856294/css-and-jquery-spaces-inside-image-name-break-code-of-url/2856309#2856309) until I saw you'd posted it.
Andy E  2010-05-18 10:23:09
@David - http://stackoverflow.com/questions/2168855/css-url-whats-better Please read the spec before down-voting, you are incorrect: http://www.w3.org/TR/CSS2/syndata.html#value-def-uri
Nick Craver  2010-05-18 10:30:26
And after poking at test cases, my vote is locked and I can't remove it. How annoying. It's a fairly weird bit of the spec which copes with broken URIs in an illogical way, but it turns out that it is right. Goes to show that there is always something new to learn. Of course, the "right" solution is still to fix the URI.
David Dorward  2010-05-18 10:33:21
@David I edited my question. I agree though that the URI ultimately needs to be encoded, as Andy E and bobince point out.
Pekka  2010-05-18 10:38:06
+5  A: 
  • Firstly, why are you letting clients determine the name of your images?
  • Secondly, why aren't you sanitizing them?
  • Thirdly, i suspect you aren't urlencoding the urls when you write them to the html (which would turn a space into a %20)
Andrew Bullock  2010-05-18 10:21:00
1. Because they have a freaking scary big database with filepaths. Let's call this a migration issue.2. I will, I am still developing the replacement app.3. I am a n00b, what else can I add ;)
Shyam  2010-05-18 10:26:18
cool, what site is it? i'll upload a file with a malformed name and inject javascript into your page and steal your users logins, takover a session and hijack an account, destroy some data and otherwise cause your business epic pain and expense. woo!
Andrew Bullock  2010-05-18 10:32:36
* i wont. but someone could!
Andrew Bullock  2010-05-18 10:33:44
You can make a point without being sarcastic. My apologies I wasn't born with a 500lbs security manual. Notice also the last sentence of my question. I thank you for highlighting the security issue, I am a bit less thankful for the hostile reply.
Shyam  2010-05-18 10:40:51
apologies i didnt mean it in a hostile manner, i was being jovial ;)
Andrew Bullock  2010-05-18 10:43:35
No problem, I am also asking this because I love JQuery, but I like to minimize the amount of 'plugins' that take care of these matters. Also, I think it is a good practice to learn how to sanitize with JavaScript too. In the Ruby language, it is normal to consider any data to be tainted that come from an external source.
Shyam  2010-05-18 10:52:28
A: 

I would not allow images with spaces in their file names to be uploaded - doesn't seem good practice to me.

matpol  2010-05-18 10:22:32
I am forcing that now too.
Shyam  2010-05-18 10:46:39
+3  A: 

Spaces are not valid in a URI. They need to be encoded to %20.

You could src.replace(/ /g, '%20'), or more generally, encodeURI(src) to %-encode all characters that aren't valid in a URI. encodeURIComponent(src) is more common, but it would only work if the src was just a single relative filename; otherwise, it'd encode / and stop paths working.

However, the real problem is that the original img src is already broken and only working thanks to browser fixups correcting your error. You need to fix the Ruby script generating the page. You should be URL-encoding the filename before including it in the path; there are many more characters that can cause you problems than just space.

As Pekka said, you should also use quotes around the URL in the url(...) value. Whilst you can get away without them for many URLs, some characters would have to be \-escaped. Using double-quotes mean you can avoid that (no double-quotes can appear in a URL itself).

bobince  2010-05-18 10:28:00
+1, I got `encodeURI` and `encodeURIComponent` mixed up in my answer.
Andy E  2010-05-18 10:35:38
+1, Thank you for your clear explanation! I am going to try this.
Shyam  2010-05-18 10:44:17

related questions

IE7 HTML/CSS margin-bottom bug.
IE7: header above menu
How to create an all browser-compatible hanging indent style in CSS in a span
How can you customize the numbers in an ordered list?
style.display not working in Firefox, Opera, Safari - IE7 OK
Best WYSIWYG CSS editor?
How important is W3C XHTML/CSS validation when finalizing work?
Solve the IE select overlap bug
IE8 overflow:auto with max-height
Autosizing Textarea
What is the best way to create rounded corners using CSS?
FF3 WinXP != FF3 Ubuntu - why?
Is there a business reason for striving for pure CSS layout?
How to set up a CSS switcher in ASP.NET
Setting a div's height in HTML with CSS
Wrapping lists into columns
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
What sites offer free, quality web site design templates?
Can you recommend a good CSS online resource or book?
Html CSS Editor
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?