escape file and directory names when downloading files

2 files changed, 2 insertions, 2 deletions

diff --git a/files/js/fileactions.js b/files/js/fileactions.js
index ddb16ecd5fd..0089c235ebf 100644
--- a/files/js/fileactions.js
+++ b/files/js/fileactions.js
@@ -125,7 +125,7 @@ FileActions={
 }
 
 FileActions.register('all','Download',function(){return OC.imagePath('core','actions/download')},function(filename){
-	window.location='ajax/download.php?files='+filename+'&dir='+$('#dir').val();
+	window.location='ajax/download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
 });
 
 FileActions.register('all','Delete',function(){return OC.imagePath('core','actions/delete')},function(filename){
diff --git a/files/templates/part.list.php b/files/templates/part.list.php
index 398094f56d0..6bf5efe2fb2 100644
--- a/files/templates/part.list.php
+++ b/files/templates/part.list.php
@@ -8,7 +8,7 @@
 			<tr data-file="<?php echo $file['name'];?>" data-type="<?php echo ($file['type'] == 'dir')?'dir':'file'?>" data-mime="<?php echo $file['mime']?>" data-size='<?php echo $file['size'];?>'>
 				<td class="filename svg" style="background-image:url(<?php if($file['type'] == 'dir') echo mimetype_icon('dir'); else echo mimetype_icon($file['mime']); ?>)">
 					<?php if(!isset($_['readonly']) || !$_['readonly']) { ?><input type="checkbox" /><?php } ?>
-					<a class="name" href="<?php if($file['type'] == 'dir') echo $_['baseURL'].$file['directory'].'/'.$file['name']; else echo $_['downloadURL'].$file['directory'].'/'.$file['name']; ?>" title="">
+					<a class="name" href="<?php if($file['type'] == 'dir') echo $_['baseURL'].$file['directory'].'/'.$file['name']; else echo $_['downloadURL'].urlencode($file['directory']).'/'.urlencode($file['name']); ?>" title="">
 					<span class="nametext">
 						<?php if($file['type'] == 'dir'):?>
 							<?php echo htmlspecialchars($file['name']);?>