about summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--src/loader/ftp.nim19
-rw-r--r--src/utils/twtstr.nim17
2 files changed, 28 insertions, 8 deletions
diff --git a/src/loader/ftp.nim b/src/loader/ftp.nim
index c9ddcf13..84693cb3 100644
--- a/src/loader/ftp.nim
+++ b/src/loader/ftp.nim
@@ -56,7 +56,7 @@ proc curlWriteHeader(p: cstring, size: csize_t, nitems: csize_t,
 <TITLE>""" & op.path & """</TITLE>
 </HEAD>
 <BODY>
-<H1>Index of """ & op.path & """</H1>
+<H1>Index of """ & htmlEscape(op.path) & """</H1>
 <PRE>
 <A HREF="..">
 [Upper Directory]</A>"""):
@@ -76,7 +76,7 @@ proc curlWriteHeader(p: cstring, size: csize_t, nitems: csize_t,
 <HEAD>
 <TITLE>Unauthorized</TITLE>
 </HEAD>
-<BODY><PRE>""" & line)
+<BODY><PRE>""" & htmlEscape(line))
       return 0
   return nitems
 
@@ -136,17 +136,20 @@ proc finish(op: CurlHandle) =
       let linki = name.find(x)
       let linkfrom = name.substr(0, linki - 1)
       let linkto = name.substr(linki + 4) # you?
+      let path = percentEncode(linkfrom, PathPercentEncodeSet)
       discard op.handle.sendData("""
-<A HREF="""" & linkfrom & """"">
-""" & name & """@ (-> """ & linkto & """)</A>""")
+<A HREF="""" & path & """"">
+""" & htmlEscape(linkfrom) & """@ (-> """ & htmlEscape(linkto) & """)</A>""")
     of 'd': # directory
+      let path = percentEncode(name, PathPercentEncodeSet)
       discard op.handle.sendData("""
-<A HREF="""" & name & """/">
-""" & name & """/</A>""")
+<A HREF="""" & path & """/">
+""" & htmlEscape(name) & """/</A>""")
     else: # file
+      let path = percentEncode(name, PathPercentEncodeSet)
       discard op.handle.sendData("""
-<A HREF="""" & name & """">
-""" & name & """ (""" & $nsize & """)</A>""")
+<A HREF="""" & path & """">
+""" & htmlEscape(name) & """ (""" & $nsize & """)</A>""")
   discard op.handle.sendData("""
 </PRE>
 </BODY>
diff --git a/src/utils/twtstr.nim b/src/utils/twtstr.nim
index 7589c262..64f66f88 100644
--- a/src/utils/twtstr.nim
+++ b/src/utils/twtstr.nim
@@ -546,6 +546,23 @@ func percentDecode*(input: string, si = 0): string =
         i += 2
     inc i
 
+func htmlEscape*(s: string): string =
+  var res = ""
+  for c in s:
+    if c == '<':
+      res &= "&lt;"
+    elif c == '>':
+      res &= "&gt;"
+    elif c == '&':
+      res &= "&amp;"
+    elif c == '"':
+      res &= "&quot;"
+    elif c == '\'':
+      res &= "&apos;"
+    else:
+      res &= c
+  return res
+
 #basically std join but with char
 func join*(ss: openarray[string], sep: char): string =
   if ss.len == 0: