10

I have a page that is supposed to display a larger version of an image when hovered over a thumbnail.

I have a 'div' with an ID and the JQuery code is as following:

$(document).ready(function(){

  $('img').hover(function() {

    var src = $("#im" + this.id).attr("src");
    $('#viewlarge').css('backgroundImage','url(' + src +')'); 
    return false;
  });

});

The images I use, are generated by a Ruby script that "generate" an image with a similar, yet different id. However, sometimes, photo's are uploaded that have "spaces" inside. My developer tools tell me that the background-image is not set correctly, yet the image path is correct and the browser don't have problems finding the image.

My question is, can I somehow sanitize the url 'src', so spaces won't be a problem? I am aware of doing this server side, yet I would like to know how to do this with JQuery/JS too.

Thanks!

Shyam
  • 2,357
  • 8
  • 32
  • 44
  • I would not allow images with spaces in their file names to be uploaded - doesn't seem good practice to me. – matpol May 18 '10 at 10:22

5 Answers5

20

Spaces are not valid in a URI. They need to be encoded to %20.

You could src.replace(/ /g, '%20'), or more generally, encodeURI(src) to %-encode all characters that aren't valid in a URI. encodeURIComponent(src) is more common, but it would only work if the src was just a single relative filename; otherwise, it'd encode / and stop paths working.

However, the real problem is that the original img src is already broken and only working thanks to browser fixups correcting your error. You need to fix the Ruby script generating the page. You should be URL-encoding the filename before including it in the path; there are many more characters that can cause you problems than just space.

As Pekka said, you should also use quotes around the URL in the url(...) value. Whilst you can get away without them for many URLs, some characters would have to be \-escaped. Using double-quotes mean you can avoid that (no double-quotes can appear in a URL itself).

bobince
  • 528,062
  • 107
  • 651
  • 834
9

Adding quotes around the URL should help:

  $('#viewlarge').css('backgroundImage','url("' + src +'")');

however, according to the W3C specs, white space must be escaped, so the URL encoding solution provided by @Andy E's head @bobince is the safest one.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • That would only help if the variable contained brackets. The question indicates that spaces are the problem. – Quentin May 18 '10 at 10:21
  • +1 - I was going to add this suggestion to [my answer](http://stackoverflow.com/questions/2856294/css-and-jquery-spaces-inside-image-name-break-code-of-url/2856309#2856309) until I saw you'd posted it. – Andy E May 18 '10 at 10:23
  • @David - http://stackoverflow.com/questions/2168855/css-url-whats-better Please read the spec before down-voting, you are incorrect: http://www.w3.org/TR/CSS2/syndata.html#value-def-uri – Nick Craver May 18 '10 at 10:30
  • And after poking at test cases, my vote is locked and I can't remove it. How annoying. It's a fairly weird bit of the spec which copes with broken URIs in an illogical way, but it turns out that it is right. Goes to show that there is always something new to learn. Of course, the "right" solution is still to fix the URI. – Quentin May 18 '10 at 10:33
  • 1
    @David I edited my question. I agree though that the URI ultimately needs to be encoded, as Andy E and bobince point out. – Pekka May 18 '10 at 10:38
4
  • Firstly, why are you letting clients determine the name of your images?
  • Secondly, why aren't you sanitizing them?
  • Thirdly, i suspect you aren't urlencoding the urls when you write them to the html (which would turn a space into a %20)
Andrew Bullock
  • 36,616
  • 34
  • 155
  • 231
  • 1. Because they have a freaking scary big database with filepaths. Let's call this a migration issue. 2. I will, I am still developing the replacement app. 3. I am a n00b, what else can I add ;) – Shyam May 18 '10 at 10:26
  • cool, what site is it? i'll upload a file with a malformed name and inject javascript into your page and steal your users logins, takover a session and hijack an account, destroy some data and otherwise cause your business epic pain and expense. woo! – Andrew Bullock May 18 '10 at 10:32
  • 1
    You can make a point without being sarcastic. My apologies I wasn't born with a 500lbs security manual. Notice also the last sentence of my question. I thank you for highlighting the security issue, I am a bit less thankful for the hostile reply. – Shyam May 18 '10 at 10:40
  • apologies i didnt mean it in a hostile manner, i was being jovial ;) – Andrew Bullock May 18 '10 at 10:43
  • No problem, I am also asking this because I love JQuery, but I like to minimize the amount of 'plugins' that take care of these matters. Also, I think it is a good practice to learn how to sanitize with JavaScript too. In the Ruby language, it is normal to consider any data to be tainted that come from an external source. – Shyam May 18 '10 at 10:52
0

Use Javascript encode function to encode your 'src'

E.g.

$('#viewlarge').css('backgroundImage','url(' + encode(src) +')');

I think you can also use Javascript 'escape' function as well

$('#viewlarge').css('backgroundImage','url(' + escape(src) +')');
Julius A
  • 38,062
  • 26
  • 74
  • 96
0

I know you've already selected your answer, but I want to improve Pekka's solution and provide the most feasible solution because I ran into another problem while it's handling a file name with brackets.

$("#viewlarge").css("background",'url(' + "'" + url+ "'" + ')');

I hope it helps !

dubucha
  • 1,027
  • 10
  • 16