I'm using selected/highlighted text by the user to generate the intent/tweet?text= content for the Twitter widget's "Tweet text" function.
It works great except when it encounters either opening or closing double/single curly quotes within the element's content: ‘ ’ “ ” (‘ ’ “ ”). When any of those characters is included in the selected text, the entire Tweet text dialog window is blank.
I've tried various javascript methods to search/replace the ASCII codes or the Unicode versions of those but to no avail.
The escape(text) method is already being used before the text gets to the Twitter widget, so I'm confused as to why it's choking. In the location bar it shows that these characters are being converted to their Unicode versions like u201C.
What could be causing the Tweet text box to fail on these characters even though it seems to be properly converting them anyway?
I discovered that one needs to search/replace the literal entities themselves, not ASCII codes nor their Unicode counterparts.
So the solution for using selected text in a Twitter widget text intent is:
text = text.replace(/“/g, "\'").replace(/”/g, "\'").replace(/‘/g, "\'").replace(/’/g, "\'");
The entities don't need to be escaped.
Related
Based on this article
https://resources.infosecinstitute.com/topic/how-to-prevent-cross-site-scripting-attacks/
Reflected XXS happens when data injected is reflected in the response. I get the idea that if I, for example, have a search box in my page and the search term inputted by a user is displayed in the page, someone could write as a search term:
<script>alert('x');</script>
and that would be read as regular HTML element in the page that displays the response.
But lets say greater than and less than are already blocked in input (meaning they wouldn't be able to put in script tags or any tag), what's the issue if I allow single quote, double quote, ampersand, and backslash reflected in the response. I'm trying to make sense of it but I am not sure if I am understanding correctly.
Today the web stack is big and complex with many languages. We have HTML, CSS, JavaScript, VB-Script, SVG, URLs…
Each with its own rules for:
Encoding
Quoting
Commenting
Escaping
Also, each one can be nested inside each other:
And just replacing <> fixes some issues, but not all of them as you don't know where you data will end up, is it in HTML? as a HTML Attribute? inside a JavaScript string? Each one needs different encoding to become safe.
So, the world is a bit more complicated.....
I want to write text in some custom fonts using keyboard Extension as these apps (1,2,3,4) are doing. I know how we can insert normal string in document proxy.
[self.textDocumentProxy insertText:mystring];
I have tried to insert NSAttributedString using above approach but I can't see any way to insert NSAttributedString to document proxy.
Some one can guide what will the best way to get rid of this issue? any suggestion will be appreciated.
It is not possible to insert attributed strings (or otherwise rich content) using the text document proxy.
The keyboards you have linked are not using custom fonts. They use (or abuse) Unicode symbols such as Enclosed Alphanumerics and Enclosed Alphanumeric Supplement.
In other instances, different alphabet symbols with visual similarity to latin symbols are used to create "funky" text, like here.
Last, some keyboard extensions, like the image keyboards, use the pasteboard to copy the rich content, and the user is responsible to paste it where he seems fit.
The apps you are referring to don't use NSAttributedString or custom fonts. They simply replace letters with similar-looking Unicode characters. You can see these characters in any OS X app inside Edit -> Special Characters menu.
I am currently working on an app that connects to custom server using NSStream. Once connected the app allows for user input via a textfield. In order for the server to recognize an incoming command a \t needs to be first and then the string from something like self.inputField.text.
I have everything working up to this point as far as opening/closing of sockets, sending/receiving etc.
The problem is my sent string looks like so: \tSOMECOMMAND but the \t is not being interpreted as a tab but as string '\tSOMECOMMAND'. How can I prepend a \t (tab) to the text in my input field?
As always thanks in advance!
You shouldn't require the user to add the tab character as it's counter-intuitive, easy to forget and an implementation detail they don't need to know about.
In your controller object:
Get the string from the text field.
Prepend the tab character.
Send the string to the server.
A user typing a backslash and a 't' is not necessarily the same as an escape sequence for a tab.
Those will be sent as two literal characters.
Your code needs to identify that escape sequence string and replace the string with a tab character. That's what the compiler does to an escape sequence when it is found within delimiters within which it expects there might be an escape sequence.
I am writing a utility app for some coworkers. The app is essentially a custom notepad, with buttons that represent the shorthand they use to transcribe a task. All of the buttons add a string to arrays that I have set up to hold the transcript, and I add the strings to the row arrays like this.
[currentRow addObject:#"("];
Some of the shorthand needs to be written in subscript, and some in superscript. There are not Unicode characters for all of the characters that I need, so I have been trying to sort through the code around Attributed Strings,but I'm not quite getting it. Does anyone have advice on this or some sample code?
Also, after this transcript is printed to the screen during transcription, I send it to an email message body.. so I assume I'll need to worry about formatting there as well. I am currently using plain text, but the email could be HTML. Thanks!
If you display the text in a WebView you can use html tags to set superscript. It also has the advantage to run on older iOS versions and you can reuse the text in your mail.
NSString *myText=#"This text contains <sub>subscript</sub> and <sup>superscript</sup> text.";
[self.myWebView loadHTMLString:myText baseURL:nil];
My website is XHTML Transitional compliant except for one thing: the & (ampersand) in the URL are written as it is, instead of &
That is, all the URLs in my pages are usually like this:
Foo
But XHTML validator generates this error:
cannot generate system identifier for general entity "y"
... and it wants the URL to be written like this:
Foo
The problem is that Internet Explorer and Firefox don't handle the URL correctly and ignore the y parameter. How can I make this link work and validate correctly?
It seems to me that it is impossible to write XHTML pages if the browsers don't work with strict encoded XHTML URLs.
Do you want to see in action? See the difference between these two links (copy and paste them as they are):
http://stackoverflow.com/search?q=ff&sort=newest
and
http://stackoverflow.com/search?q=ff&sort=newest
I have just tried this. What you attempted to do is correct. In HTML if you are writing a link the & characters should be encoded as & You would only encode the & as %26 if you wanted a parameter value to contain an ampersand. I just wrote a simple HTML page that contained a link: Click me
and it worked fine: default2.aspx received the parameters intended and the source passed validation.
The encoding of & as & is required in HTML, not in the link. When the browser sees the & in the HTML source for a link it will interpret it as an ampersand and the link target will be as intended. If you paste a URL into your browser address bar it does not expect it to be HTML and does not try to interpret any HTML encoding that it may contain. This is why your example links that you suggest we should copy/paste into a browser don't work and why we wouldn't expect them to work.
If you post a bit more of your actual code we might be able to see what you have done wrong, but you appear to be heading the right direction by using & in your anchor tags.
It was my fault: the hyperlink control already encoded &, so my URL http://foo?x=1&y=2 was encoded to http://foo?x=1&y=2
Normally the & inside the URL is correctly handled by browsers, as you stated.
You could use & instead of & in your URL within your page.
That should allow it to be validated as strict XHTML...
Foo
Note, if used by an ASP.NET Request.QueryString function, the query string doesn't use XML encoding; it uses URL encoding:
/mypath/mypage?b=%26stuff
So you need to provide a function translating '&' into %26.
Note: in that case, Server.URLEncode(”neetu & geetu”), which would produce neetu+%26+geetu, is not what you want, since you need to translate & into %26, not just '&'. You must add a replace() call applied to URLEncode result, in order to replace '%26amp;' by '%26'.
To be even more thorough: use &, a numeric character reference.
Because & is a character entity reference:
Character entity references are defined in the markup language
definition. This means, for example, that for HTML only a specific
range of characters (defined by the HTML specification) can be
represented as character entity references (and that includes only a
small subset of the Unicode range).
That's coming from the wise people at W3C (read this for more).
Of course, this is not a very big deal, but the suggestion of W3C is that the numeric one will be valid and useable everywhere and always, while the named one is 'fine' for HTML but nothing more.
The problem is worse than you think - try it in Safari. & gets converted to & and the hash ends the URL.
The correct answer is to not output XHTML - there's no reason that justifies spending more time on development and alienating Mac users.