// Copyright (C) 2006 Cognos Incorporated. All rights reserved.
// Cognos (R) is a trademark of Cognos Incorporated.

var CAF_HEX_CHARS = "0123456789abcdef";

// Encodes the passed getData string so that it can be used safely with third party tools
// that check for specific characters in GET requets.
// Requires global variables caf_tpXSSCheckingUsed, and caf_tpXSSChars
// to be set externally by CAF getJavascriptConfig (usually using XTS)
function CAFXSSEncode(getData) {
	if (typeof caf_tpXSSCheckingUsed == "undefined" || typeof caf_tpXSSChars == "undefined" || 
			!caf_tpXSSCheckingUsed) {
		return getData;
	}
	var res = "";
	res += "XSSSTART";
	var c = '';
	var isXSSChar = false;
	var j = 0;
	var h1 = 0;
	var h2 = 0;
	var str = "" + getData; // ensure param is string
	for (var i = 0; i < str.length; i++) {
		c = str.charAt(i);
		if (c == '%') {
			res += '*';
		} else if (c == '*') {
			res += "_2a";
		} else if (c == '_') {
			res += "_5f";
		} else {
			isXSSChar = false;
			for (j = 0; j < caf_tpXSSChars.length; ++j) {
				if (c == caf_tpXSSChars.charAt(j)) {
					isXSSChar = true;
					break;
				}
			}
			if (isXSSChar) {
				res += '_';
				h1 = Math.floor(c.charCodeAt(0) / 16);
				h2 = c.charCodeAt(0) - h1 * 16;
				res += CAF_HEX_CHARS.charAt(h1);
				res += CAF_HEX_CHARS.charAt(h2);
			} else {
				res += c;
			}
		}
	}
	res += "XSSEND";
	return res;
}

// CAFXSSEncode utility function that accepts full URLs.
// Extracts get data from the passed url, gets it encoded value, and returns the modified URL
function CAFXSSEncodeURL(url) {
	var str = "" + url; // ensure param is string
	var array = str.split("?");
	if (array.length == 2) {
		var hostPath = array[0];
		var getData = array[1];
		getData = CAFXSSEncode(getData);
		str = hostPath + "?" + getData;
	}
	return str;
}

// Series 7 XSS encode for URLs.
// Requires global variables caf_tpXSSCheckingUsed, and caf_tpXSSChars to be set
function CAFS7XSSEncodeURL(url) {
	if (typeof caf_tpXSSCheckingUsed == "undefined" || typeof caf_tpXSSChars == "undefined" || 
			!caf_tpXSSCheckingUsed) {
		return url;
	}
	var str = "" + url; // ensure param is string
	var array = str.split("?");
	if (array.length == 2) {
		var hostPath = array[0];
		var getData  = array[1];			
		var qs = "AFDATA";
		var isXSSChar = false;
		for (var i = 0; i < getData.length; i++) {
			c = getData.charAt(i);
			if (c == '%') {
				qs += '_25';
			} else  if (c == '_') {
				qs += "_5f";
			} else {
				isXSSChar = false;
				for (j = 0; j < caf_tpXSSChars.length; ++j) {
					if (c == caf_tpXSSChars.charAt(j)) {
						isXSSChar = true;
						break;
					}
				}
				if (isXSSChar) {
					qs += '_';
					h1 = Math.floor(c.charCodeAt(0) / 16);
					h2 = c.charCodeAt(0) - h1 * 16;
					qs += CAF_HEX_CHARS.charAt(h1);
					qs += CAF_HEX_CHARS.charAt(h2);
				} else {
					qs += c;
				}
			}
		}
		str = hostPath + "?" + qs;
	}
	return str;
}

function CAFContainsInvalidString(str) {
	var res = null;
	var re = new RegExp("(</?form\\b|</?script\\b|<embed\\b|</?object\\b|<applet\\b|<meta\\b|\\bonevent\\b|\\bonsubmit\\b|\\bonload\\b|\\bonmouse\\b|<iframe\\b|<frameset\\b|\\bjavascript\\b|\\bexpression\\()", "i");
	var ar = re.exec(str);
	if (ar != null) {
		res = ar[1];
	}
	
	return res;
}