Opened 11 years ago

Closed 7 years ago

#14237 closed defect (patchwelcome)

dojox.form.uploader.plugins.Flash Return Data is not escaped

Reported by: leader Owned by: dylan
Priority: high Milestone: 1.11
Component: DojoX Uploader Version: 1.6.1
Keywords: Cc:
Blocked By: Blocking:


If the file name contains reserved characters (=&,) Internet Explore signals a syntax error.

Possible work-around is to escape data on the server and to unescape fields in the returned array from onComplete event.

My work around: Server Apache2 mod_perl:

    use URI::Escape;
    my $upload = $r->upload('flashUploadFiles'); $r is istance of Apache2::Request  
    $return_data = 'file='.uri_escape($upload_dir.'/'.$upload->filename).',name='.uri_escape($upload->filename).',type='.uri_escape($upload->type).',size='.$upload->size.',width=,height=';

Client IE 8 & 9:

    dojo.connect(dijit.byId('uploader'), 'onComplete', function(params) {
      console.debug('uploader onComplete', unescape(dojo.toJson(params)));

Change History (3)

comment:1 Changed 11 years ago by bill

Milestone: tbd

comment:2 Changed 7 years ago by dylan

Owner: changed from Mike Wilcox to dylan
Status: newassigned

comment:3 Changed 7 years ago by dylan

Milestone: tbd1.11
Resolution: patchwelcome
Status: assignedclosed

Definitely possible, and my apologies that you've not had a response to this previously.

Given that no one has addressed this in 4 years, and we're trying to make our tickets manageable, I'm going to mark this as patchwelcome. If you want to create a pull request via github following the guidelines at ​ , we'll review and land it.

Note: See TracTickets for help on using tickets.