if (action === MoveCopyAction.COPY || action === MoveCopyAction.MOVE_OR_COPY) {
buttons.push({
- label: target ? t('files', 'Copy to {target}', { target }) : t('files', 'Copy'),
+ label: target ? t('files', 'Copy to {target}', { target }, undefined, { escape: false, sanitize: false }) : t('files', 'Copy'),
type: 'primary',
icon: CopyIconSvg,
async callback(destination: Node[]) {
if (action === MoveCopyAction.MOVE || action === MoveCopyAction.MOVE_OR_COPY) {
buttons.push({
- label: target ? t('files', 'Move to {target}', { target }) : t('files', 'Move'),
+ label: target ? t('files', 'Move to {target}', { target }, undefined, { escape: false, sanitize: false }) : t('files', 'Move'),
type: action === MoveCopyAction.MOVE ? 'primary' : 'secondary',
icon: FolderMoveSvg,
async callback(destination: Node[]) {
cy.deleteUser(currentUser)
})
+
it('Can copy a file to new folder', () => {
// Prepare initial state
cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt')
getRowForFile('original.txt').should('be.visible')
getRowForFile('original (copy 2).txt').should('be.visible')
})
+
+ /** Test for https://github.com/nextcloud/server/issues/43329 */
+ context.only('escaping file and folder names', () => {
+ it('Can handle files with special characters', () => {
+ cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt')
+ .mkdir(currentUser, '/can\'t say')
+ cy.login(currentUser)
+ cy.visit('/apps/files')
+
+ copyFile('original.txt', 'can\'t say')
+
+ navigateToFolder('can\'t say')
+
+ cy.url().should('contain', 'dir=/can%27t%20say')
+ getRowForFile('original.txt').should('be.visible')
+ getRowForFile('can\'t say').should('not.exist')
+ })
+
+ /**
+ * If escape is set to false (required for test above) then "<a>foo" would result in "<a>foo</a>" if sanitizing is not disabled
+ * We should disable it as vue already escapes the text when using v-text
+ */
+ it('does not incorrectly sanitize file names', () => {
+ cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt')
+ .mkdir(currentUser, '/<a href="#">foo')
+ cy.login(currentUser)
+ cy.visit('/apps/files')
+
+ copyFile('original.txt', '<a href="#">foo')
+
+ navigateToFolder('<a href="#">foo')
+
+ cy.url().should('contain', 'dir=/%3Ca%20href%3D%22%23%22%3Efoo')
+ getRowForFile('original.txt').should('be.visible')
+ getRowForFile('<a href="#">foo').should('not.exist')
+ })
+ })
})