Properly escape special characters in fs/directory_listing. (#355)

2024-11-27 17:22:57 +01:00 · 2018-06-30 20:01:48 +08:00 · 2018-06-30 20:01:48 +08:00 · 0be5448597
commit 0be5448597
parent 0f27389e72
3 changed files with 10 additions and 3 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -57,6 +57,7 @@ base64 = "0.9"
 bitflags = "1.0"
 failure = "0.1.1"
 h2 = "0.1"
+htmlescape = "0.3"
 http = "^0.1.5"
 httparse = "1.2"
 log = "0.4"
--- a/src/fs.rs
+++ b/src/fs.rs
@ -15,6 +15,8 @@ use futures::{Async, Future, Poll, Stream};
 use futures_cpupool::{CpuFuture, CpuPool};
 use mime;
 use mime_guess::{get_mime_type, guess_mime_type};
+use percent_encoding::{utf8_percent_encode, DEFAULT_ENCODE_SET};
+use htmlescape::encode_minimal as escape_html_entity;

 use error::Error;
 use handler::{AsyncResult, Handler, Responder, RouteHandler, WrapHandler};
@ -505,7 +507,10 @@ fn directory_listing<S>(
                Err(_) => continue,
            };
            // show file url as relative to static path
-            let file_url = format!("{}", p.to_string_lossy());
+            let file_url = utf8_percent_encode(&p.to_string_lossy(), DEFAULT_ENCODE_SET)
+                .to_string();
+            // " -- &quot;  & -- &amp;  ' -- &#x27;  < -- &lt;  > -- &gt;
+            let file_name = escape_html_entity(&entry.file_name().to_string_lossy());

            // if file is a directory, add '/' to the end of the name
            if let Ok(metadata) = entry.metadata() {
@ -514,14 +519,14 @@ fn directory_listing<S>(
                        body,
                        "<li><a href=\"{}\">{}/</a></li>",
                        file_url,
-                        entry.file_name().to_string_lossy()
+                        file_name
                    );
                } else {
                    let _ = write!(
                        body,
                        "<li><a href=\"{}\">{}</a></li>",
                        file_url,
-                        entry.file_name().to_string_lossy()
+                        file_name
                    );
                }
            } else {
--- a/src/lib.rs
+++ b/src/lib.rs
@ -103,6 +103,7 @@ extern crate lazy_static;
 extern crate futures;
 extern crate cookie;
 extern crate futures_cpupool;
+extern crate htmlescape;
 extern crate http as modhttp;
 extern crate httparse;
 extern crate language_tags;