From 1e3ceb485eaf8c5055f4adea8fc553126c8fb440 Mon Sep 17 00:00:00 2001 From: Jon Dufresne Date: Wed, 1 Jul 2020 10:46:28 +0200 Subject: [PATCH] Made JavaScript URL manipulation more robust with URL and URLSearchParams. Use the rich interface and native parsing provided by the browser rather than raw string manipulation. https://developer.mozilla.org/en-US/docs/Web/API/URL https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams --- .../admin/static/admin/js/admin/RelatedObjectLookups.js | 8 ++------ django/contrib/admin/static/admin/js/cancel.js | 3 ++- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js index 670d13b226..289e1cee26 100644 --- a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js +++ b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js @@ -7,13 +7,9 @@ function showAdminPopup(triggeringLink, name_regexp, add_popup) { const name = triggeringLink.id.replace(name_regexp, ''); - let href = triggeringLink.href; + const href = new URL(triggeringLink.href); if (add_popup) { - if (href.includes('?')) { - href += '&_popup=1'; - } else { - href += '?_popup=1'; - } + href.searchParams.set('_popup', 1); } const win = window.open(href, name, 'height=500,width=800,resizable=yes,scrollbars=yes'); win.focus(); diff --git a/django/contrib/admin/static/admin/js/cancel.js b/django/contrib/admin/static/admin/js/cancel.js index 68c2d6662f..3069c6f27b 100644 --- a/django/contrib/admin/static/admin/js/cancel.js +++ b/django/contrib/admin/static/admin/js/cancel.js @@ -14,7 +14,8 @@ ready(function() { function handleClick(event) { event.preventDefault(); - if (window.location.search.includes('&_popup=1')) { + const params = new URLSearchParams(window.location.search); + if (params.has('_popup')) { window.close(); // Close the popup. } else { window.history.back(); // Otherwise, go back.