# HG changeset patch
# User Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
# Date 1256202425 -7200
# Node ID 2465ef6aef5f7ecc070a3728a90a19590a581cd8
# Parent  4e38bbb0ba8ced4915648a0825516fa7fc172b4c
[javascript] handle cases where vid parameter is hijacked by parameter-injection

diff -r 4e38bbb0ba8c -r 2465ef6aef5f web/data/cubicweb.ajax.js
--- a/web/data/cubicweb.ajax.js	Thu Oct 22 11:02:50 2009 +0200
+++ b/web/data/cubicweb.ajax.js	Thu Oct 22 11:07:05 2009 +0200
@@ -139,14 +139,29 @@
     for(var i=0; i<fragments.length; i++) {
 	var fragment = fragments[i];
 	fragment.innerHTML = '<h3>' + LOADING_MSG + ' ... <img src="data/loading.gif" /></h3>';
+	// if cubicweb:loadurl is set, just pick the url et send it to loadxhtml
+	var url = getNodeAttribute(fragment, 'cubicweb:loadurl');
+	if (url) {
+	    jQuery(fragment).loadxhtml(url);
+	    continue;
+	}
+	// else: rebuild full url by fetching cubicweb:rql, cubicweb:vid, etc.
 	var rql = getNodeAttribute(fragment, 'cubicweb:rql');
-	var vid = getNodeAttribute(fragment, 'cubicweb:vid');
+	var items = getNodeAttribute(fragment, 'cubicweb:vid').split('&');
+	var vid = items[0];
         var extraparams = {};
+	// case where vid='myvid&param1=val1&param2=val2': this is a deprecated abuse-case
+	if (items.length > 1) {
+	    console.log("[3.5] you're using extraargs in cubicweb:vid attribute, this is deprecated, consider using loadurl instead");
+	    for (var j=1; j<items.length; j++) {
+		var keyvalue = items[j].split('=');
+		extraparams[keyvalue[0]] = keyvalue[1];
+	    }
+	}
 	var actrql = getNodeAttribute(fragment, 'cubicweb:actualrql');
 	if (actrql) { extraparams['actualrql'] = actrql; }
 	var fbvid = getNodeAttribute(fragment, 'cubicweb:fallbackvid');
 	if (fbvid) { extraparams['fallbackvid'] = fbvid; }
-
 	replacePageChunk(fragment.id, rql, vid, extraparams);
     }
 }