//Moved all functions to the top of the file so that the inline code is not mixed in
function is(t)
{
	for(i=0;i<qva.length;i++) {
		var p = qva[i];
		if(p == t)
			return true;
	}
	return false;
}

function tv(a,t)
{
	var p = new Array(2);
	for(i=0;i<a.length;i++) {
		p[0] = a[i].substring(0,a[i].indexOf('='));
		p[1] = a[i].substring(a[i].indexOf('=')+1);
		if(p[0] == t){
			return p[1];
		}
	}
	return '';
}

function btredir(u,signin) {
	if (signin) {
		BVE = BVE.replace('http:','https:');
		BVP = BVP.replace('cgi-bin','signin');
	}
	location.replace(u+'&BVE='+BVE+'&BVP='+BVP+'&'+BVC);
}
function validateDomain(d){
	if(d != '' && d != '.'){ // filter spoof attempts using BVE or JFP redirects
		var v = /^(http|https):\/\/[a-zA-Z0-9]+([a-zA-Z0-9\-\.]+)?\.(com|org|net|COM|ORG|NET)$|^(http|https):\/\/localhost:[0-9]{4}$/;
		if(!v.test(unescape(d).toLowerCase())){
		    s=s+'|||||||||||||';
			location.href = '/domain/spoof/intercept.htm';
			return;
		}
		v = /\/\/localhost:[0-9]{4}$|\/\/localhost$|\.citicorp.com$|\.citicorp.com:[0-9]{4}$|\.citigroup.net$|\.citibankonlineqa.com$|\.citibank.com$|\.citi.com$|\.nam.nsroot.net$/;
		if(!v.test(unescape(d).toLowerCase())){
		    s=s+'|||||||||||||';
			location.href = '/domain/spoof/intercept.htm';
			return;
		}
	}
	return d;
}

//refactored the function so that we can control the execution of the JavaScript.
function secureFunction(){
  qs = unescape(location.search);
	qva = qs.substring(1, qs.length).split('&');
for (var i=0;i<qva.length;i++) {qva[i]=unescape(qva[i]);}
// get breadcrumbs from query string
// if breadcrumbs cookie exists get breadcrumbs from there but override with query string
// update (or create) breadcrumbs cookie with current values
var qv=new Array(14);
qv[0]=tv(qva,'BVE');
validateDomain(qv[0].replace(/\@/g,':'));
qv[1]=tv(qva,'BVP');
qv[2]=tv(qva,'_u');
qv[3]=tv(qva,'BV_UseBVCookie');
if(qv[3]) qv[3]='BV_UseBVCookie='+qv[3];
qv[4]=tv(qva,'_profile');
qv[5]=tv(qva,'_products');
qv[6]=tv(qva,'_m')||0;
qv[7]=tv(qva,'_uid');
qv[8]=tv(qva,'_cn');
qv[9]=tv(qva,'_j');
qv[9]=validateDomain(qv[9].replace(/\@/g,':'));
qv[10]=tv(qva,'_jfp');
qv[11]=tv(qva,'_ll');
qv[12]=tv(qva,'_mid');
qv[13]=tv(qva,'_dta');
if(tv(qva,'_clearcookie')=='yes')
	var cs='|||||||||||||';
else {
	var cookie=document.cookie.split("; ")
	var cs=tv(cookie,'CbolBreadcrumb')||'|||||||||||||';
}
var cv=cs.split('|');
if(qv[0]!='') cv[0]=qv[0];
if(qv[1]!='') cv[1]=qv[1];
if(qv[2]!='') cv[2]=qv[2];
if(qv[3]!='') cv[3]=qv[3];
if(qv[4]!='') cv[4]=qv[4];
if(qv[5]!='') cv[5]=qv[5];
if(qv[6]!='') cv[6]=qv[6];
if(qv[7]!='') cv[7]=qv[7];
if(qv[8]!='') cv[8]=qv[8];
if(qv[9]!='') cv[9]=qv[9];
if(qv[10]!='') cv[10]=qv[10];
if(qv[11]!='') cv[11]=qv[11];
if(qv[12]!='') cv[12]=qv[12];
if(qv[13]!='') cv[13]=qv[13];
BVE=cv[0]||BVE;
BVE=BVE.replace(/@/g,':');
BVP=cv[1]||BVP;
BVU=cv[2]||BVU;
BVC=unescape(cv[3])||BVC;
PROFILE=cv[4]||PROFILE;
PRODUCTS=cv[5]||PRODUCTS;
MESSAGES=cv[6]||MESSAGES;
USERNAME=cv[7]||USERNAME;
CITINAVIGATORDATA=cv[8]||CITINAVIGATORDATA;
JFPDOMAIN=cv[9]||JFPDOMAIN;
JFPDOMAIN=JFPDOMAIN.replace(/@/g,':');
JFPMIGRATEDUSER=cv[10]||JFPMIGRATEDUSER;
LASTLOGIN=cv[11]||LASTLOGIN;
MASTERID=cv[12]||MASTERID;
DATEACTIVATED=cv[13]||DATEACTIVATED;
JP = BVP.replace('scripts','portal');
var today=new Date();
var d=new Date(today.getTime()+(30*24*60*60*1000));
var expires='; expires='+d.toGMTString();
s='CbolBreadcrumb='+BVE.replace(/\:/g,'@')+'|'+BVP+'|'+BVU+'|'+escape(BVC)+'|'+PROFILE+'|'+PRODUCTS+'|'+MESSAGES+'|'+USERNAME+'|'+CITINAVIGATORDATA+'|'+JFPDOMAIN.replace(/\:/g,'@')+'|'+JFPMIGRATEDUSER+'|'+LASTLOGIN+'|'+MASTERID+'|'+DATEACTIVATED+'; path=/';
  
}

//Created 's' to store the default cookie value
var s='CbolBreadcrumb=';
var BVP = '/cgi-bin/citifi/scripts/';
var BVC = 'M_M=S';
var BVU = 'visitor';
var MESSAGES = 0;
var USERNAME = '';
var CITINAVIGATORDATA = '';
var JFPWEBAPPCONTEXT = '/US';
var JFPMIGRATEDUSER = '';
var LASTLOGIN = '';
var MASTERID = '';
var DATEACTIVATED = '';
var PRODUCTS = 'NNNNNNNNNNNNNNNNN';
var PROFILE =	 'NNNNNNNNNNNNN';
//                        1111111
//              01234567890123456
var _copy = new Date().getFullYear();
var qs='';
var u = /[<>"';%]/;
var r = u.test(unescape(location.search));

//refactored to set the defualt cookie value if malicious characters are found
if (r) {
  s=s+'|||||||||||||';
  location.href = '/domain/spoof/intercept.htm';
}//refactored to only execute if malicious characters are not found
else{
  //call the refactored function
  secureFunction()
}
document.cookie=s;