From f767085eb63de8012876cb2ebafa038a4b1d882e Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Thu, 13 Feb 2020 08:51:14 +0100
Subject: [PATCH] WebServer: Escape HTML entities in path names in directory
 listings

I left a FIXME in here about implementing URL encoding.
---
 Servers/WebServer/Client.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Servers/WebServer/Client.cpp b/Servers/WebServer/Client.cpp
index 4f81e7985b..c399abcac6 100644
--- a/Servers/WebServer/Client.cpp
+++ b/Servers/WebServer/Client.cpp
@@ -132,11 +132,11 @@ void Client::handle_directory_listing(const String& requested_path, const String
     builder.append("<!DOCTYPE html>\n");
     builder.append("<html>\n");
     builder.append("<head><title>Index of ");
-    builder.append(requested_path);
+    builder.append(escape_html_entities(requested_path));
     builder.append("</title></head>\n");
     builder.append("<body>\n");
     builder.append("<h1>Index of ");
-    builder.append(requested_path);
+    builder.append(escape_html_entities(requested_path));
     builder.append("</h1>\n");
     builder.append("<hr>\n");
     builder.append("<pre>\n");
@@ -145,9 +145,10 @@ void Client::handle_directory_listing(const String& requested_path, const String
     while (dt.has_next()) {
         auto name = dt.next_path();
         builder.append("<a href=\"");
+        // FIXME: urlencode
         builder.append(name);
         builder.append("\">");
-        builder.append(name);
+        builder.append(escape_html_entities(name));
         builder.append("</a>");
         for (size_t i = 0; i < (40 - name.length()); ++i)
             builder.append(' ');