From 1042733634622b234beb52e24505d56a9883b4eb Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Fri, 10 Jan 2014 15:02:26 +0100
Subject: [PATCH] Fixed various file name escaping issues in core apps

- Refactored file tr lookup into FileList.findFileEl that uses
  filterAttr to avoid escaping issues in jQuery selectors
- Fixed versions and sharing app to properly escape file names in
  attributes
---
 apps/files/js/file-upload.js       | 12 ++++++--
 apps/files/js/fileactions.js       |  2 +-
 apps/files/js/filelist.js          | 49 ++++++++++++++++++------------
 apps/files/js/files.js             | 14 +++++----
 apps/files_sharing/js/public.js    |  6 ++--
 apps/files_sharing/js/share.js     |  2 +-
 apps/files_trashbin/js/trash.js    | 14 ++++-----
 apps/files_versions/js/versions.js | 16 +++++-----
 core/js/share.js                   | 10 ++++--
 9 files changed, 75 insertions(+), 50 deletions(-)

diff --git a/apps/files/js/file-upload.js b/apps/files/js/file-upload.js
index 196817432d5..225c3319107 100644
--- a/apps/files/js/file-upload.js
+++ b/apps/files/js/file-upload.js
@@ -222,6 +222,14 @@ $(document).ready(function() {
 			
 				//examine file
 				var file = data.files[0];
+				try {
+					// FIXME: not so elegant... need to refactor that method to return a value
+					Files.isFileNameValid(file.name);
+				}
+				catch (errorMessage) {
+					data.textStatus = 'invalidcharacters';
+					data.errorThrown = errorMessage;
+				}
 			
 				if (file.type === '' && file.size === 4096) {
 					data.textStatus = 'dirorzero';
@@ -605,7 +613,7 @@ $(document).ready(function() {
 								if (result.status === 'success') {
 									var date=new Date();
 									FileList.addDir(name, 0, date, hidden);
-									var tr=$('tr[data-file="'+name+'"]');
+									var tr = FileList.findFileEl(name);
 									tr.attr('data-id', result.data.id);
 								} else {
 									OC.dialogs.alert(result.data.message, t('core', 'Could not create folder'));
@@ -647,7 +655,7 @@ $(document).ready(function() {
 							$('#uploadprogressbar').fadeOut();
 							var date = new Date();
 							FileList.addFile(localName, size, date, false, hidden);
-							var tr = $('tr[data-file="'+localName+'"]');
+							var tr = FileList.findFileEl(localName);
 							tr.data('mime', mime).data('id', id);
 							tr.attr('data-id', id);
 							var path = $('#dir').val()+'/'+localName;
diff --git a/apps/files/js/fileactions.js b/apps/files/js/fileactions.js
index 03e23189a97..74bb711ef3d 100644
--- a/apps/files/js/fileactions.js
+++ b/apps/files/js/fileactions.js
@@ -71,7 +71,7 @@ var FileActions = {
 		FileActions.currentFile = parent;
 		var actions = FileActions.get(FileActions.getCurrentMimeType(), FileActions.getCurrentType(), FileActions.getCurrentPermissions());
 		var file = FileActions.getCurrentFile();
-		if ($('tr[data-file="'+file+'"]').data('renaming')) {
+		if (FileList.findFileEl(file).data('renaming')) {
 			return;
 		}
 
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 473bcf25f2d..c02ab70ce8d 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -6,6 +6,13 @@ var FileList={
 			$(this).attr('data-file',decodeURIComponent($(this).attr('data-file')));
 		});
 	},
+	/**
+	 * Returns the tr element for a given file name
+	 */
+	findFileEl: function(fileName){
+		// use filterAttr to avoid escaping issues
+		return $('#fileList tr').filterAttr('data-file', fileName);
+	},
 	update:function(fileListHtml) {
 		var $fileList = $('#fileList');
 		$fileList.empty().html(fileListHtml);
@@ -292,8 +299,9 @@ var FileList={
 		$('#filestable').toggleClass('hidden', show);
 	},
 	remove:function(name){
-		$('tr').filterAttr('data-file',name).find('td.filename').draggable('destroy');
-		$('tr').filterAttr('data-file',name).remove();
+		var fileEl = FileList.findFileEl(name);
+		fileEl.find('td.filename').draggable('destroy');
+		fileEl.remove();
 		FileList.updateFileSummary();
 		if ( ! $('tr[data-file]').exists() ) {
 			$('#emptycontent').removeClass('hidden');
@@ -334,7 +342,7 @@ var FileList={
 		FileList.updateFileSummary();
 	},
 	loadingDone:function(name, id) {
-		var mime, tr = $('tr[data-file="'+name+'"]');
+		var mime, tr = FileList.findFileEl(name);
 		tr.data('loading', false);
 		mime = tr.data('mime');
 		tr.attr('data-mime', mime);
@@ -347,12 +355,12 @@ var FileList={
 		}, null, null, tr.attr('data-etag'));
 		tr.find('td.filename').draggable(dragOptions);
 	},
-	isLoading:function(name) {
-		return $('tr[data-file="'+name+'"]').data('loading');
+	isLoading:function(file) {
+		return FileList.findFileEl(file).data('loading');
 	},
 	rename:function(oldname) {
 		var tr, td, input, form;
-		tr = $('tr[data-file="'+oldname+'"]');
+		tr = FileList.findFileEl(oldname);
 		tr.data('renaming',true);
 		td = tr.children('td.filename');
 		input = $('<input type="text" class="filename"/>').val(oldname);
@@ -500,14 +508,16 @@ var FileList={
 			form.trigger('submit');
 		});
 	},
-	inList:function(filename) {
-		return $('#fileList tr[data-file="'+filename+'"]').length;
+	inList:function(file) {
+		return FileList.findFileEl(file).length;
 	},
 	replace:function(oldName, newName, isNewFile) {
 		// Finish any existing actions
-		$('tr[data-file="'+oldName+'"]').hide();
-		$('tr[data-file="'+newName+'"]').hide();
-		var tr = $('tr[data-file="'+oldName+'"]').clone();
+		var oldFileEl = FileList.findFileEl(oldName);
+		var newFileEl = FileList.findFileEl(newName);
+		oldFileEl.hide();
+		newFileEl.hide();
+		var tr = oldFileEl.clone();
 		tr.attr('data-replace', 'true');
 		tr.attr('data-file', newName);
 		var td = tr.children('td.filename');
@@ -559,7 +569,7 @@ var FileList={
 			files=[files];
 		}
 		for (var i=0; i<files.length; i++) {
-			var deleteAction = $('tr[data-file="'+files[i]+'"]').children("td.date").children(".action.delete");
+			var deleteAction = FileList.findFileEl(files[i]).children("td.date").children(".action.delete");
 			deleteAction.removeClass('delete-icon').addClass('progress-icon');
 		}
 		// Finish any existing actions
@@ -573,7 +583,7 @@ var FileList={
 				function(result) {
 					if (result.status === 'success') {
 						$.each(files,function(index,file) {
-							var files = $('tr[data-file="'+file+'"]');
+							var files = FileList.findFileEl(file);
 							files.remove();
 							files.find('input[type="checkbox"]').removeAttr('checked');
 							files.removeClass('selected');
@@ -595,7 +605,7 @@ var FileList={
 							OC.Notification.hide();
 						}, 10000);
 						$.each(files,function(index,file) {
-							var deleteAction = $('tr[data-file="' + file + '"] .action.delete');
+							var deleteAction = FileList.findFileEl(file).find('.action.delete');
 							deleteAction.removeClass('progress-icon').addClass('delete-icon');
 						});
 					}
@@ -737,7 +747,7 @@ var FileList={
 	},
 	scrollTo:function(file) {
 		//scroll to and highlight preselected file
-		var $scrolltorow = $('tr[data-file="'+file+'"]');
+		var $scrolltorow = FileList.findFileEl(file);
 		if ($scrolltorow.exists()) {
 			$scrolltorow.addClass('searchresult');
 			$(window).scrollTop($scrolltorow.position().top);
@@ -949,7 +959,7 @@ $(document).ready(function() {
 	$('#notification').on('click', '.undo', function() {
 		if (FileList.deleteFiles) {
 			$.each(FileList.deleteFiles,function(index,file) {
-				$('tr[data-file="'+file+'"]').show();
+				FileList.findFileEl(file).show();
 			});
 			FileList.deleteCanceled=true;
 			FileList.deleteFiles=null;
@@ -959,10 +969,10 @@ $(document).ready(function() {
 				FileList.deleteCanceled = false;
 				FileList.deleteFiles = [FileList.replaceOldName];
 			} else {
-				$('tr[data-file="'+FileList.replaceOldName+'"]').show();
+				FileList.findFileEl(FileList.replaceOldName).show();
 			}
 			$('tr[data-replace="true"').remove();
-			$('tr[data-file="'+FileList.replaceNewName+'"]').show();
+			FileList.findFileEl(FileList.replaceNewName).show();
 			FileList.replaceCanceled = true;
 			FileList.replaceOldName = null;
 			FileList.replaceNewName = null;
@@ -977,7 +987,8 @@ $(document).ready(function() {
 		});
 	});
 	$('#notification:first-child').on('click', '.suggest', function() {
-		$('tr[data-file="'+$('#notification > span').attr('data-oldName')+'"]').show();
+		var file = $('#notification > span').attr('data-oldName');
+		FileList.findFileEl(file).show();
 		OC.Notification.hide();
 	});
 	$('#notification:first-child').on('click', '.cancel', function() {
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index fdaa3aa3342..1f12ade8d79 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -282,7 +282,7 @@ $(document).ready(function() {
 			procesSelection();
 		} else {
 			var filename=$(this).parent().parent().attr('data-file');
-			var tr=$('tr[data-file="'+filename+'"]');
+			var tr = FileList.findFileEl(filename);
 			var renaming=tr.data('renaming');
 			if (!renaming && !FileList.isLoading(filename)) {
 				FileActions.currentFile = $(this).parent();
@@ -541,10 +541,12 @@ var folderDropOptions={
 				if (result) {
 					if (result.status === 'success') {
 						//recalculate folder size
-						var oldSize = $('#fileList tr[data-file="'+target+'"]').data('size');
-						var newSize = oldSize + $('#fileList tr[data-file="'+file+'"]').data('size');
-						$('#fileList tr[data-file="'+target+'"]').data('size', newSize);
-						$('#fileList tr[data-file="'+target+'"]').find('td.filesize').text(humanFileSize(newSize));
+						var oldFile = FileList.findFileEl(target);
+						var newFile = FileList.findFileEl(file);
+						var oldSize = oldFile.data('size');
+						var newSize = oldSize + newFile.data('size');
+						oldFile.data('size', newSize);
+						oldFile.find('td.filesize').text(humanFileSize(newSize));
 
 						FileList.remove(file);
 						procesSelection();
@@ -738,7 +740,7 @@ Files.lazyLoadPreview = function(path, mime, ready, width, height, etag) {
 }
 
 function getUniqueName(name) {
-	if ($('tr[data-file="'+name+'"]').exists()) {
+	if (FileList.findFileEl(name).exists()) {
 		var parts=name.split('.');
 		var extension = "";
 		if (parts.length > 1) {
diff --git a/apps/files_sharing/js/public.js b/apps/files_sharing/js/public.js
index eacd4096ed8..2e34e6f9bc5 100644
--- a/apps/files_sharing/js/public.js
+++ b/apps/files_sharing/js/public.js
@@ -29,19 +29,19 @@ $(document).ready(function() {
 			}
 		}
 		FileActions.register('dir', 'Open', OC.PERMISSION_READ, '', function(filename) {
-			var tr = $('tr').filterAttr('data-file', filename);
+			var tr = FileList.findFileEl(filename);
 			if (tr.length > 0) {
 				window.location = $(tr).find('a.name').attr('href');
 			}
 		});
 		FileActions.register('file', 'Download', OC.PERMISSION_READ, '', function(filename) {
-			var tr = $('tr').filterAttr('data-file', filename);
+			var tr = FileList.findFileEl(filename);
 			if (tr.length > 0) {
 				window.location = $(tr).find('a.name').attr('href');
 			}
 		});
 		FileActions.register('dir', 'Download', OC.PERMISSION_READ, '', function(filename) {
-			var tr = $('tr').filterAttr('data-file', filename);
+			var tr = FileList.findFileEl(filename);
 			if (tr.length > 0) {
 				window.location = $(tr).find('a.name').attr('href')+'&download';
 			}
diff --git a/apps/files_sharing/js/share.js b/apps/files_sharing/js/share.js
index 340e0939445..36de452a55e 100644
--- a/apps/files_sharing/js/share.js
+++ b/apps/files_sharing/js/share.js
@@ -22,7 +22,7 @@ $(document).ready(function() {
 			} else {
 				var item = $('#dir').val() + '/' + filename;
 			}
-			var tr = $('tr').filterAttr('data-file', filename);
+			var tr = FileList.findFileEl(filename);
 			if ($(tr).data('type') == 'dir') {
 				var itemType = 'folder';
 			} else {
diff --git a/apps/files_trashbin/js/trash.js b/apps/files_trashbin/js/trash.js
index 1ff5bac6130..46d8b56308c 100644
--- a/apps/files_trashbin/js/trash.js
+++ b/apps/files_trashbin/js/trash.js
@@ -3,8 +3,8 @@ $(document).ready(function() {
 
 	if (typeof FileActions !== 'undefined') {
 		FileActions.register('all', 'Restore', OC.PERMISSION_READ, OC.imagePath('core', 'actions/history'), function(filename) {
-			var tr = $('tr').filterAttr('data-file', filename);
-			var deleteAction = $('tr').filterAttr('data-file', filename).children("td.date").children(".action.delete");
+			var tr = FileList.findFileEl(filename);
+			var deleteAction = tr.children("td.date").children(".action.delete");
 			deleteAction.removeClass('delete-icon').addClass('progress-icon');
 			disableActions();
 			$.post(OC.filePath('files_trashbin', 'ajax', 'undelete.php'),
@@ -30,8 +30,8 @@ $(document).ready(function() {
 		return OC.imagePath('core', 'actions/delete');
 	}, function(filename) {
 		$('.tipsy').remove();
-		var tr = $('tr').filterAttr('data-file', filename);
-		var deleteAction = $('tr').filterAttr('data-file', filename).children("td.date").children(".action.delete");
+		var tr = FileList.findFileEl(filename);
+		var deleteAction = tr.children("td.date").children(".action.delete");
 		deleteAction.removeClass('delete-icon').addClass('progress-icon');
 		disableActions();
 		$.post(OC.filePath('files_trashbin', 'ajax', 'delete.php'),
@@ -73,7 +73,7 @@ $(document).ready(function() {
 		var dirlisting = getSelectedFiles('dirlisting')[0];
 		disableActions();
 		for (var i = 0; i < files.length; i++) {
-			var deleteAction = $('tr').filterAttr('data-file', files[i]).children("td.date").children(".action.delete");
+			var deleteAction = FileList.findFileEl(files[i]).children("td.date").children(".action.delete");
 			deleteAction.removeClass('delete-icon').addClass('progress-icon');
 		}
 
@@ -119,7 +119,7 @@ $(document).ready(function() {
 		}
 		else {
 			for (var i = 0; i < files.length; i++) {
-				var deleteAction = $('tr').filterAttr('data-file', files[i]).children("td.date").children(".action.delete");
+				var deleteAction = FileList.findFileEl(files[i]).children("td.date").children(".action.delete");
 				deleteAction.removeClass('delete-icon').addClass('progress-icon');
 			}
 		}
@@ -169,7 +169,7 @@ $(document).ready(function() {
 			event.preventDefault();
 		}
 		var filename = $(this).parent().parent().attr('data-file');
-		var tr = $('tr').filterAttr('data-file',filename);
+		var tr = FileList.findFileEl(filename);
 		var renaming = tr.data('renaming');
 		if(!renaming && !FileList.isLoading(filename)){
 			if(mime.substr(0, 5) === 'text/'){ //no texteditor for now
diff --git a/apps/files_versions/js/versions.js b/apps/files_versions/js/versions.js
index 738a7ece6f2..4adf14745de 100644
--- a/apps/files_versions/js/versions.js
+++ b/apps/files_versions/js/versions.js
@@ -77,6 +77,7 @@ function goToVersionPage(url){
 function createVersionsDropdown(filename, files) {
 
 	var start = 0;
+	var fileEl;
 
 	var html = '<div id="dropdown" class="drop drop-versions" data-file="'+escapeHTML(files)+'">';
 	html += '<div id="private">';
@@ -86,8 +87,9 @@ function createVersionsDropdown(filename, files) {
 	html += '<input type="button" value="'+ t('files_versions', 'More versions...') + '" name="show-more-versions" id="show-more-versions" style="display: none;" />';
 
 	if (filename) {
-		$('tr').filterAttr('data-file',filename).addClass('mouseOver');
-		$(html).appendTo($('tr').filterAttr('data-file',filename).find('td.filename'));
+		fileEl = FileList.findFileEl(filename);
+		fileEl.addClass('mouseOver');
+		$(html).appendTo(fileEl.find('td.filename'));
 	} else {
 		$(html).appendTo($('thead .share'));
 	}
@@ -138,7 +140,7 @@ function createVersionsDropdown(filename, files) {
 
 		var preview = '<img class="preview" src="'+revision.preview+'"/>';
 
-		var download ='<a href="' + path + "?file=" + files + '&revision=' + revision.version + '">';
+		var download ='<a href="' + path + "?file=" + encodeURIComponent(files) + '&revision=' + revision.version + '">';
 		download+='<img';
 		download+=' src="' + OC.imagePath('core', 'actions/download') + '"';
 		download+=' name="downloadVersion" />';
@@ -146,8 +148,7 @@ function createVersionsDropdown(filename, files) {
 		download+='</a>';
 
 		var revert='<span class="revertVersion"';
-		revert+=' id="' + revision.version + '"';
-		revert+=' value="' + files + '">';
+		revert+=' id="' + revision.version + '">';
 		revert+='<img';
 		revert+=' src="' + OC.imagePath('core', 'actions/history') + '"';
 		revert+=' name="revertVersion"';
@@ -156,14 +157,13 @@ function createVersionsDropdown(filename, files) {
 		var version=$('<li/>');
 		version.attr('value', revision.version);
 		version.html(preview + download + revert);
+		// add file here for proper name escaping
+		version.find('span.revertVersion').attr('value', files);
 
 		version.appendTo('#found_versions');
 	}
 
-	$('tr').filterAttr('data-file',filename).addClass('mouseOver');
 	$('#dropdown').show('blind');
-
-
 }
 
 $(this).click(
diff --git a/core/js/share.js b/core/js/share.js
index 10ab5f47f27..3637d2e7e72 100644
--- a/core/js/share.js
+++ b/core/js/share.js
@@ -181,7 +181,8 @@ OC.Share={
 	},
 	showDropDown:function(itemType, itemSource, appendTo, link, possiblePermissions, filename) {
 		var data = OC.Share.loadItem(itemType, itemSource);
-		var html = '<div id="dropdown" class="drop" data-item-type="'+itemType+'" data-item-source="'+itemSource+'"" data-item-source-name="'+filename+'">';
+		var dropDownEl;
+		var html = '<div id="dropdown" class="drop" data-item-type="'+itemType+'" data-item-source="'+itemSource+'">';
 		if (data !== false && data.reshare !== false && data.reshare.uid_owner !== undefined) {
 			if (data.reshare.share_type == OC.Share.SHARE_TYPE_GROUP) {
 				html += '<span class="reshare">'+t('core', 'Shared with you and the group {group} by {owner}', {group: escapeHTML(data.reshare.share_with), owner: escapeHTML(data.reshare.displayname_owner)})+'</span>';
@@ -239,7 +240,8 @@ OC.Share={
 			html += '<input type="checkbox" name="expirationCheckbox" id="expirationCheckbox" value="1" /><label for="expirationCheckbox">'+t('core', 'Set expiration date')+'</label>';
 			html += '<input id="expirationDate" type="text" placeholder="'+t('core', 'Expiration date')+'" style="display:none; width:90%;" />';
 			html += '</div>';
-			$(html).appendTo(appendTo);
+			dropDownEl = $(html);
+			dropDownEl = dropDownEl.appendTo(appendTo);
 			// Reset item shares
 			OC.Share.itemShares = [];
 			if (data.shares) {
@@ -332,8 +334,10 @@ OC.Share={
 		} else {
 			html += '<input id="shareWith" type="text" placeholder="'+t('core', 'Resharing is not allowed')+'" style="width:90%;" disabled="disabled"/>';
 			html += '</div>';
-			$(html).appendTo(appendTo);
+			dropDownEl = $(html);
+			dropDownEl.appendTo(appendTo);
 		}
+		dropDownEl.attr('data-item-source-name', filename);
 		$('#dropdown').show('blind', function() {
 			OC.Share.droppedDown = true;
 		});
-- 
2.39.5