From 8c661ca1aed02253cddd10e59c00ceaa2b364836 Mon Sep 17 00:00:00 2001 From: Zlatin Balevsky Date: Sat, 7 Dec 2019 12:59:43 +0000 Subject: [PATCH] unescape file names, this fixes unsharing of files with html characters --- .../src/main/java/com/muwire/webui/FilesServlet.java | 2 +- webui/src/main/java/com/muwire/webui/Util.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/webui/src/main/java/com/muwire/webui/FilesServlet.java b/webui/src/main/java/com/muwire/webui/FilesServlet.java index 7ce3574e..3fd3ca73 100644 --- a/webui/src/main/java/com/muwire/webui/FilesServlet.java +++ b/webui/src/main/java/com/muwire/webui/FilesServlet.java @@ -110,7 +110,7 @@ public class FilesServlet extends HttpServlet { String pathElements = req.getParameter("path"); File current = null; for (String element : pathElements.split(",")) { - element = Base64.decodeToString(element); + element = Util.unescapeHTMLinXML(Base64.decodeToString(element)); if (current == null) current = new File(element); else diff --git a/webui/src/main/java/com/muwire/webui/Util.java b/webui/src/main/java/com/muwire/webui/Util.java index bfad54f3..4cfd1122 100644 --- a/webui/src/main/java/com/muwire/webui/Util.java +++ b/webui/src/main/java/com/muwire/webui/Util.java @@ -4,6 +4,8 @@ public class Util { private static final String escapeChars[] = {"&", "\"", "<", ">", "'"}; private static final String escapeCodes[] = {"&amp;", "&quot;", "&lt;", "&gt;", "&apos;"}; + + private static final String escapedCodes[] = {"&", """, "<", ">", "'"}; /** * Double-Escape an HTML string for inclusion in XML @@ -18,4 +20,13 @@ public class Util { } return escaped; } + + public static String unescapeHTMLinXML(String escaped) { + if (escaped == null) return null; + String unescaped = escaped; + for (int i = 0; i < escapedCodes.length; i++) { + unescaped = unescaped.replace(escapedCodes[i], escapeChars[i]); + } + return unescaped; + } }