diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-03-22 14:20:17 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-04-17 12:40:01 +0200 |
| commit | 4767830d7acb25614d5fb5415bf9b03918cd7831 (patch) | |
| tree | e4a2417c23874f4488a7958b963d1e8335f30548 /cypress | |
| parent | 8d91e071d7e809753535bd2094927a046e384d51 (diff) | |
| download | nextcloud-server-4767830d7acb25614d5fb5415bf9b03918cd7831.tar.gz nextcloud-server-4767830d7acb25614d5fb5415bf9b03918cd7831.zip | |
fix(files): Do not escape file names for filepicker buttons
The text is already escaped by Vue, so we should not escape or sanitize the filename.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'cypress')
| -rw-r--r-- | cypress/e2e/files/files_copy-move.cy.ts | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/cypress/e2e/files/files_copy-move.cy.ts b/cypress/e2e/files/files_copy-move.cy.ts index c265066f18c..6c37807aa73 100644 --- a/cypress/e2e/files/files_copy-move.cy.ts +++ b/cypress/e2e/files/files_copy-move.cy.ts @@ -35,6 +35,7 @@ describe('Files: Move or copy files', { testIsolation: true }, () => { cy.deleteUser(currentUser) }) + it('Can copy a file to new folder', () => { cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt') .mkdir(currentUser, '/new-folder') @@ -195,4 +196,41 @@ describe('Files: Move or copy files', { testIsolation: true }, () => { getRowForFile('original.txt').should('be.visible') getRowForFile('original (copy 2).txt').should('be.visible') }) + + /** Test for https://github.com/nextcloud/server/issues/43329 */ + context.only('escaping file and folder names', () => { + it('Can handle files with special characters', () => { + cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt') + .mkdir(currentUser, '/can\'t say') + cy.login(currentUser) + cy.visit('/apps/files') + + copyFile('original.txt', 'can\'t say') + + navigateToFolder('can\'t say') + + cy.url().should('contain', 'dir=/can%27t%20say') + getRowForFile('original.txt').should('be.visible') + getRowForFile('can\'t say').should('not.exist') + }) + + /** + * If escape is set to false (required for test above) then "<a>foo" would result in "<a>foo</a>" if sanitizing is not disabled + * We should disable it as vue already escapes the text when using v-text + */ + it('does not incorrectly sanitize file names', () => { + cy.uploadContent(currentUser, new Blob(), 'text/plain', '/original.txt') + .mkdir(currentUser, '/<a href="#">foo') + cy.login(currentUser) + cy.visit('/apps/files') + + copyFile('original.txt', '<a href="#">foo') + + navigateToFolder('<a href="#">foo') + + cy.url().should('contain', 'dir=/%3Ca%20href%3D%22%23%22%3Efoo') + getRowForFile('original.txt').should('be.visible') + getRowForFile('<a href="#">foo').should('not.exist') + }) + }) }) |