From 21c946fd99dcfddd10d0e9f593c2ba165c8dc7e8 Mon Sep 17 00:00:00 2001 From: Brett Zamir Date: Sat, 1 Feb 2014 16:13:51 +0000 Subject: [PATCH] server_opensave-related changes: 1) Be more lenient in filename possibilities for server_opensave (supporting Unicode except characters disallowed in Windows file names); 2) XHTML escape filename and SVG content when put into HTML hidden input element as opposed to unnecessary URL-encoding; 3) fix base64 encoding (with update to dependent utf8-encoding function)--old base64 code caused SVG to break with surrogate pairs (e.g., in title); 4) provide default UTF-8 encoding in XML declaration and add this XML declaration to the download attribute as well git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2662 eee81c28-f429-11dd-99c0-75d572ba1ddd --- editor/extensions/ext-php_savefile.js | 2 +- editor/extensions/ext-server_opensave.js | 30 ++++---- editor/extensions/filesave.php | 30 +++++--- editor/svgutils.js | 88 ++++++++++++++++-------- 4 files changed, 101 insertions(+), 49 deletions(-) diff --git a/editor/extensions/ext-php_savefile.js b/editor/extensions/ext-php_savefile.js index 191ba0cb..e26d07aa 100644 --- a/editor/extensions/ext-php_savefile.js +++ b/editor/extensions/ext-php_savefile.js @@ -8,7 +8,7 @@ svgEditor.addExtension("php_savefile", { 'use strict'; function getFileNameFromTitle () { var title = svgCanvas.getDocumentTitle(); - return $.trim(title); // .replace(/[^a-z0-9\.\_\-]+/gi, '_'); // We could do this more stringent client-side filtering, but we need to do on the server anyways + return $.trim(title); } var save_svg_action = 'extensions/savefile.php'; svgEditor.setCustomHandlers({ diff --git a/editor/extensions/ext-server_opensave.js b/editor/extensions/ext-server_opensave.js index ac7b351b..371c4a33 100644 --- a/editor/extensions/ext-server_opensave.js +++ b/editor/extensions/ext-server_opensave.js @@ -13,7 +13,11 @@ svgEditor.addExtension("server_opensave", { 'use strict'; function getFileNameFromTitle () { var title = svgCanvas.getDocumentTitle(); - return $.trim(title).replace(/[^a-z0-9\.\_\-]+/gi, '_'); + // We convert (to underscore) only those disallowed Win7 file name characters + return $.trim(title).replace(/[\/\\:*?"<>|]/g, '_'); + } + function xhtmlEscape(str) { + return str.replace(/&/g, '&').replace(/"/g, '"').replace(/').hide().appendTo('body'); svgEditor.setCustomHandlers({ save: function(win, data) { - var svg = "\n" + data, + var svg = '\n' + data, // Firefox doesn't seem to know it is UTF-8 (if we skip the clientDownload code) despite the Content-Disposition header containing UTF-8, but adding the encoding works filename = getFileNameFromTitle(); - //if (clientDownloadSupport(filename, '.svg', 'data:image/svg+xml,' + encodeURI(data))) { // Firefox limits size of file - if (clientDownloadSupport(filename, '.svg', 'data:image/svg+xml;base64,' + svgedit.utilities.encode64(data))) { + // if (clientDownloadSupport(filename, '.svg', 'data:image/svg+xml,' + encodeURI(data))) { // Firefox limits size of file + if (clientDownloadSupport(filename, '.svg', 'data:image/svg+xml;base64,' + svgedit.utilities.encode64(svg))) { return; } - + $('
').attr({ method: 'post', action: save_svg_action, target: 'output_frame' - }) .append('') - .append('') + }).append('') + .append('') .appendTo('body') .submit().remove(); }, @@ -70,8 +74,8 @@ svgEditor.addExtension("server_opensave", { uiStrings = svgEditor.uiStrings, note = ''; - // Check if there's issues - if(issues.length) { + // Check if there are issues + if (issues.length) { pre = "\n \u2022 "; note += ("\n\n" + pre + issues.join(pre)); } @@ -91,9 +95,9 @@ svgEditor.addExtension("server_opensave", { method: 'post', action: save_img_action, target: 'output_frame' - }) .append('') + }).append('') .append('') - .append('') + .append('') .appendTo('body') .submit().remove(); }}); @@ -103,7 +107,7 @@ svgEditor.addExtension("server_opensave", { }); // Do nothing if client support is found - if(window.FileReader) {return;} + if (window.FileReader) {return;} // Change these to appropriate script file open_svg_action = 'extensions/fileopen.php?type=load_svg'; @@ -113,7 +117,7 @@ svgEditor.addExtension("server_opensave", { // Set up function for PHP uploader to use svgEditor.processFile = function(str64, type) { var xmlstr; - if(cancelled) { + if (cancelled) { cancelled = false; return; } diff --git a/editor/extensions/filesave.php b/editor/extensions/filesave.php index 0bca52ee..95d7e044 100644 --- a/editor/extensions/filesave.php +++ b/editor/extensions/filesave.php @@ -9,6 +9,15 @@ * */ +function encodeRFC5987ValueChars ($str) { + // See http://tools.ietf.org/html/rfc5987#section-3.2.1 + // For better readability within headers, add back the characters escaped by rawurlencode but still allowable + // Although RFC3986 reserves "!" (%21), RFC5987 does not + return preg_replace_callback('@%(2[1346B]|5E|60|7C)@', function ($matches) { + return chr('0x' . $matches[1]); + }, rawurlencode($str)); +} + require('allowedMimeTypes.php'); $mime = !isset($_POST['mime']) || !in_array($_POST['mime'], $allowedMimeTypesBySuffix) ? 'image/svg+xml' : $_POST['mime']; @@ -28,19 +37,24 @@ if (isset($_POST['filename']) && strlen($_POST['filename']) > 0) { } if ($suffix == '.svg') { - $contents = rawurldecode($_POST['output_svg']); + $contents = $_POST['output_svg']; } else { $contents = $_POST['output_img']; $pos = (strpos($contents, 'base64,') + 7); $contents = base64_decode(substr($contents, $pos)); } - header("Cache-Control: public"); - header("Content-Description: File Transfer"); - header("Content-Disposition: attachment; filename=" . $file); - header("Content-Type: " . $mime); - header("Content-Transfer-Encoding: binary"); - - echo $contents; +header("Cache-Control: public"); +header("Content-Description: File Transfer"); + +// See http://tools.ietf.org/html/rfc6266#section-4.1 +header("Content-Disposition: attachment; filename*=UTF-8''" . encodeRFC5987ValueChars( + // preg_replace('@[\\\\/:*?"<>|]@', '', $file) // If we wanted to strip Windows-disallowed characters server-side (but not a security issue, so we can strip client-side instead) + $file +)); +header("Content-Type: " . $mime . 'charset=utf-8'); +header("Content-Transfer-Encoding: binary"); + +echo $contents; ?> \ No newline at end of file diff --git a/editor/svgutils.js b/editor/svgutils.js index 459be9a8..1a1bcd49 100644 --- a/editor/svgutils.js +++ b/editor/svgutils.js @@ -82,11 +82,11 @@ svgedit.utilities.fromXml = function(str) { // Converts a string to base64 svgedit.utilities.encode64 = function(input) { // base64 strings are 4/3 larger than the original string -// input = svgedit.utilities.encodeUTF8(input); // convert non-ASCII characters - input = svgedit.utilities.convertToXMLReferences(input); - if(window.btoa) { - return window.btoa(input); // Use native if available - } + input = svgedit.utilities.encodeUTF8(input); // convert non-ASCII characters + // input = svgedit.utilities.convertToXMLReferences(input); + if (window.btoa) { + return window.btoa(input); // Use native if available + } var output = new Array( Math.floor( (input.length + 2) / 3 ) * 4 ); var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; @@ -158,28 +158,62 @@ svgedit.utilities.decode64 = function(input) { }; // Currently not being used, so commented out for now -// based on http://phpjs.org/functions/utf8_encode:577 -// codedread:does not seem to work with webkit-based browsers on OSX -// 'encodeUTF8': function(input) { -// //return unescape(encodeURIComponent(input)); //may or may not work -// var output = ''; -// for (var n = 0; n < input.length; n++){ -// var c = input.charCodeAt(n); -// if (c < 128) { -// output += input[n]; -// } -// else if (c > 127) { -// if (c < 2048){ -// output += String.fromCharCode((c >> 6) | 192); -// } -// else { -// output += String.fromCharCode((c >> 12) | 224) + String.fromCharCode((c >> 6) & 63 | 128); -// } -// output += String.fromCharCode((c & 63) | 128); -// } -// } -// return output; -// }, +// based on http://phpjs.org/functions/utf8_encode +// codedread:does not seem to work with webkit-based browsers on OSX // Brettz9: please test again as function upgraded +svgedit.utilities.encodeUTF8 = function (argString) { + //return unescape(encodeURIComponent(input)); //may or may not work + if (argString === null || typeof argString === 'undefined') { + return ''; + } + + var string = String(argString); // .replace(/\r\n/g, "\n").replace(/\r/g, "\n"); + var utftext = '', + n, start, end, stringl = 0; + + start = end = 0; + stringl = string.length; + for (n = 0; n < stringl; n++) { + var c1 = string.charCodeAt(n); + var enc = null; + + if (c1 < 128) { + end++; + } else if (c1 > 127 && c1 < 2048) { + enc = String.fromCharCode( + (c1 >> 6) | 192, (c1 & 63) | 128 + ); + } else if (c1 & 0xF800 != 0xD800) { + enc = String.fromCharCode( + (c1 >> 12) | 224, ((c1 >> 6) & 63) | 128, (c1 & 63) | 128 + ); + } else { // surrogate pairs + if (c1 & 0xFC00 != 0xD800) { + throw new RangeError('Unmatched trail surrogate at ' + n); + } + var c2 = string.charCodeAt(++n); + if (c2 & 0xFC00 != 0xDC00) { + throw new RangeError('Unmatched lead surrogate at ' + (n - 1)); + } + c1 = ((c1 & 0x3FF) << 10) + (c2 & 0x3FF) + 0x10000; + enc = String.fromCharCode( + (c1 >> 18) | 240, ((c1 >> 12) & 63) | 128, ((c1 >> 6) & 63) | 128, (c1 & 63) | 128 + ); + } + if (enc !== null) { + if (end > start) { + utftext += string.slice(start, end); + } + utftext += enc; + start = end = n + 1; + } + } + + if (end > start) { + utftext += string.slice(start, stringl); + } + + return utftext; +}; // Function: svgedit.utilities.convertToXMLReferences // Converts a string to use XML references