Properly escape URL

Fixes https://github.com/owncloud/core/issues/23499

2 files changed, 15 insertions, 1 deletions

diff --git a/settings/js/users/deleteHandler.js b/settings/js/users/deleteHandler.js
index b684aff1889..a66e8b07a72 100644
--- a/settings/js/users/deleteHandler.js
+++ b/settings/js/users/deleteHandler.js
@@ -191,7 +191,7 @@ DeleteHandler.prototype.deleteEntry = function(keepNotification) {
 	payload[dh.ajaxParamID] = dh.oidToDelete;
 	return $.ajax({
 		type: 'DELETE',
-		url: OC.generateUrl(dh.ajaxEndpoint+'/'+this.oidToDelete),
+		url: OC.generateUrl(dh.ajaxEndpoint+'/{oid}',{oid: this.oidToDelete}),
 		// FIXME: do not use synchronous ajax calls as they block the browser !
 		async: false,
 		success: function (result) {
diff --git a/settings/tests/js/users/deleteHandlerSpec.js b/settings/tests/js/users/deleteHandlerSpec.js
index 371eae5941d..3e7f768e519 100644
--- a/settings/tests/js/users/deleteHandlerSpec.js
+++ b/settings/tests/js/users/deleteHandlerSpec.js
@@ -132,6 +132,20 @@ describe('DeleteHandler tests', function() {
 		var	request = fakeServer.requests[0];
 		expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid');
 	});
+	it('deletes when deleteEntry is called and escapes', function() {
+		fakeServer.respondWith(/\/index\.php\/dummyendpoint.php\/some_uid/, [
+			200,
+			{ 'Content-Type': 'application/json' },
+			JSON.stringify({status: 'success'})
+		]);
+		var handler = init(markCallback, removeCallback, undoCallback);
+		handler.mark('some_uid<>/"..\\');
+
+		handler.deleteEntry();
+		expect(fakeServer.requests.length).toEqual(1);
+		var	request = fakeServer.requests[0];
+		expect(request.url).toEqual(OC.webroot + '/index.php/dummyendpoint.php/some_uid%3C%3E%2F%22..%5C');
+	});
 	it('cancels deletion when undo is clicked', function() {
 		var handler = init(markCallback, removeCallback, undoCallback);
 		handler.setNotification(OC.Notification, 'dataid', 'removed %oid entry <span class="undo">Undo</span>', undoCallback);