Last week, an end user came to me with a bug she found in the largest of the software systems I develop at work. The bug was pretty major and to fix it the right way would mean re-designing. Re-designing software with a three person development team and a strict schedule just wouldn't fly for this particular bug.
The Problem
We have a standard format for search screens throughout the software. Each search screen has a set of fields and, using AJAX, the values entered for those fields get sent to a servlet that performs the actual search. When the results come back from the back end the servlet takes those results and iterates over each one. It then uses an Object called SearchResultFormatter. SearchResultFormatter has a set of methods that take parameters to build the HTML (and inline javascript) for the results. This Object provides an easy way to change the format of all search results from one place, not to mention it cleans up the servlets nicely.
For example, doing:
results.addManageValue("/apolo/crm/prepareSoHdr.do?soId=", so.getSoId(), EvalHelper.returnIfNotNull(so.getSoNo()));Would generate this code segment:
<td onclick="javascript:window.location='/apolo/crm/prepareSoHdr.do?soId=1221&mode=view';">S1221</td>This works nicely and because we generate the soNo on an SoHdr, it won't break either. Things get complicated though, in the case of this bug that cropped up, when we have
SearchResultFormatter methods that take additional parameters and string these parameters together to create a different onclick event, such as:
results.addLookupValue(caller, customerMaster.getFullName(), customerMaster.getCustomerId(), customerMaster.getFullName());Generating:
<td onclick="javascript:choose('customerMaster', 'Fairchild Controls Corp.', '1000');">Fairchild Controls Corp.</td>You may not see it here, but there is a pretty blatant bug. What if
customerMaster.getFullName() generates a String with a single quote "'"? Well, when you go and try and click on that td, it is going to break. The generated code may look like:
<td onclick="javascript:choose('customerMaster', 'Fairchild's Corp.', '1000');">Fairchild Controls Corp.</td>My initial idea was to simply pass that String through a function that replaced all ' with ' and all " with ":
<td onclick="javascript:choose('customerMaster', 'Fairchild's Corp.', '1000');">Fairchild Controls Corp.</td>Seems okay to me. Unfortunately, for some reason that I have to figure out, when this HTML gets sent back to the front end via an
XMLHttpRequest javascript Object and I pull the text out and place it inside the DOM, Mozilla seems to catch the ' and replace it with simple ', defeating all of my efforts.I was at a complete loss and decided rather than ripping apart the searching architecture because of this bug, I would work on something else for a day or two and see if I come up with something.
The Hack This morning, it hit me. If Firefox is really catching ' and replacing it with ', then what if I separate each character out into its own string in javascript and just concatenate all of the strings together to form a single string? My End result looks like this:
results.addLookupValue(caller, customerMaster.getFullName(), customerMaster.getCustomerId(), explode(customerMaster.getFullName()));<td onclick="javascript:choose('customerMaster', 'F'+'a'+'i'+'r'+'c'+'h'+'i'+'l'+'d'+'&'+'a'+'p'+'o'+'s'+';'+'s'+' '+'C'+'o'+'r'+'p'+'.','1000');">Fairchild Controls Corp.</td>It may be ugly, but it is a pretty neat hack for some production code that just can't be re-implemented right now.
