bmcwhorter

Set Element Link Attribute encoded differently in flash and javascript

Recommended Posts

Hi,

 

If you have the following chart and run it in flash and then javascript, the set elements link attributes are encoded differently.  The links produced will provide different values for the variables.  This leads to us not being able to process the variables because they come out differently for each chart.  Why are you encoding them in different ways?  Very annoying.

 

<?xml version="1.0" encoding="UTF-8"?>
-<graph canvasPadding="0" plotFillAlpha="100" plotFillColor="00558e" lineDashed="0" useRoundEdges="1" rotateValues="1" showValues="0" divLineColor="000000" canvasBgColor="dad9da" rotateLabels="1" xaxisname="X-Axis" yaxisname="Y-Axis" imageSaveURL="rdTemplate/rdAnimatedChart/FCExporter.aspx" imageSave="1" unescapeLinks="0" showBorder="0" chartBottomMargin="" chartTopMargin="" chartRightMargin="" chartLeftMargin="" numberPrefix="" showLabels="1" bgColor="ffffff" Caption="" animation="1" showFCMenuItem="0">-<styles>-<definition><style type="font" color="5b5b5b" size="11" font="Helvetica" name="DataLabelsFontStyle"/><style type="font" color="5b5b5b" size="11" font="Helvetica" name="YAXISVALUESFontStyle"/><style type="font" color="5b5b5b" size="11" font="Helvetica" name="LegendFontStyle"/></definition>-<application><apply styles="DataLabelsFontStyle" toObject="DataLabels"/><apply styles="YAXISVALUESFontStyle" toObject="YAXISVALUES"/><apply styles="LegendFontStyle" toObject="Legend"/></application></styles>
<set color="00558e" link="javascript:SubmitForm('somePage.aspx?rdReport=19285&var=Toms%2bSpezialit%25c3%25a4ten&var2=7%252f5%252f1996','','false','',null,null)" alpha="100" label="Toms Spezialitäten" value="11.6100"/><set color="00558e" link="javascript:SubmitForm('somePage.aspx?rdReport=19285&var=Vins%2bet%2balcools%2bChevalier&var2=7%252f4%252f1996','','false','',null,null)" alpha="100" label="Vins et alcools Chevalier" value="32.3800"/>
<trendlines/></graph>

Share this post


Link to post
Share on other sites

The difference is primarily because our JS variant of charts tries to minimise needless pre-encoding and also uses .encodeURIComponent API to encode strings.

 

encodeURIComponent has support to encode extended UTF charset, which is very important for multilingual support.

 

Also, there is another layer of encoding that is done by flash player while it communicates with JS on a page. We have no control on the same.

 

Try running unescape or decodeUriComponent on the links parameters in your SubmitForm function and that should unify the outputs. The idea behind this is that a string that cannot be further decoded will remain unchanged.

 

In JS charts, there is one more situation where upon detection of possible security risk in link, another level of encoding is done.

Share this post


Link to post
Share on other sites

Hi,

 

I have tested this out, there is extra encoding being done by the JS charts.  How can I turn that off?  I am encoding the strings myself to remove possible security links, so I don't want you all to do any extra encoding.  Please advise.

Share this post


Link to post
Share on other sites

Even if you encode your links, disabling this encoding exposes you to cross site scripting attack. As such there is no way to turn this off as a user configuration.

 

If you have the source files, you may modify XSS checking function within our link parser (only adviseable if you are running the charts within trusted intranet or closed private environment.)

 

Discussing this here is not a good idea too. I would still suggest you do a double decoding of the link as that should solve your problem.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now