From f7f2f501f5ab9dacd37859625c8a898dbe60315c Mon Sep 17 00:00:00 2001 From: aplave Date: Sun, 22 Dec 2019 10:32:17 -0800 Subject: [PATCH 1/2] Wrap URL parameter decoding in try-catch for safety --- src/openseadragon.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/openseadragon.js b/src/openseadragon.js index 8ecd2f3b..6840e53d 100644 --- a/src/openseadragon.js +++ b/src/openseadragon.js @@ -2586,8 +2586,13 @@ function OpenSeadragon( options ){ sep = part.indexOf( '=' ); if ( sep > 0 ) { - URLPARAMS[ part.substring( 0, sep ) ] = - decodeURIComponent( part.substring( sep + 1 ) ); + var key = part.substring( 0, sep ), + value = part.substring( sep + 1 ); + try { + URLPARAMS[ key ] = decodeURIComponent( value ); + } catch (e) { + $.console.error( "Ignoring malformed URL parameter: %s=%s", key, value ); + } } } From 0953bb4be835a15484df651ab2793d2017df4d48 Mon Sep 17 00:00:00 2001 From: aplave Date: Sun, 22 Dec 2019 10:33:15 -0800 Subject: [PATCH 2/2] Move $.console declaration up so $.Browser can make use of it --- src/openseadragon.js | 50 ++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/src/openseadragon.js b/src/openseadragon.js index 6840e53d..d5b68441 100644 --- a/src/openseadragon.js +++ b/src/openseadragon.js @@ -2491,6 +2491,31 @@ function OpenSeadragon( options ){ }); + //TODO: $.console is often used inside a try/catch block which generally + // prevents allowings errors to occur with detection until a debugger + // is attached. Although I've been guilty of the same anti-pattern + // I eventually was convinced that errors should naturally propagate in + // all but the most special cases. + /** + * A convenient alias for console when available, and a simple null + * function when console is unavailable. + * @static + * @private + */ + var nullfunction = function( msg ){ + //document.location.hash = msg; + }; + + $.console = window.console || { + log: nullfunction, + debug: nullfunction, + info: nullfunction, + warn: nullfunction, + error: nullfunction, + assert: nullfunction + }; + + /** * The current browser vendor, version, and related information regarding detected features. * @member {Object} Browser @@ -2616,31 +2641,6 @@ function OpenSeadragon( options ){ })(); - //TODO: $.console is often used inside a try/catch block which generally - // prevents allowings errors to occur with detection until a debugger - // is attached. Although I've been guilty of the same anti-pattern - // I eventually was convinced that errors should naturally propagate in - // all but the most special cases. - /** - * A convenient alias for console when available, and a simple null - * function when console is unavailable. - * @static - * @private - */ - var nullfunction = function( msg ){ - //document.location.hash = msg; - }; - - $.console = window.console || { - log: nullfunction, - debug: nullfunction, - info: nullfunction, - warn: nullfunction, - error: nullfunction, - assert: nullfunction - }; - - // Adding support for HTML5's requestAnimationFrame as suggested by acdha. // Implementation taken from matt synder's post here: // http://mattsnider.com/cross-browser-and-legacy-supported-requestframeanimation/