From 32bf3d979c0e79eff9dc6062903b161062b9a6eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Pierre?= <sebastien.pierre@gmail.com>
Date: Thu, 12 Sep 2024 16:34:12 +1200
Subject: [PATCH] [Fix] files: escape

---
 src/py/extra/services/files.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/py/extra/services/files.py b/src/py/extra/services/files.py
index 479cfcc..b8cbe92 100644
--- a/src/py/extra/services/files.py
+++ b/src/py/extra/services/files.py
@@ -5,7 +5,7 @@
 from ..http.model import HTTPRequest, HTTPResponse
 from ..features.cors import cors
 from ..utils.htmpl import H, html
-import os
+import os, html
 
 
 FILE_CSS: str = """
@@ -66,14 +66,15 @@ def renderDir(
             path = path[:-1]
         files: list[str] = []
         dirs: list[str] = []
+        # TODO: We may want to have a strict mode to prevent resolving symlinks
         if localPath.is_dir():
             for p in sorted(localPath.iterdir()):
                 # We really want the href to be absolute
                 href = os.path.join("/", self.PREFIX or "/", path, p.name)
                 if p.is_dir():
-                    dirs.append(H.li(H.a(f"{p.name}/", href=href)))
+                    dirs.append(H.li(H.a(f"{html.escape(p.name)}/", href=href)))
                 else:
-                    files.append(H.li(H.a(p.name, href=href)))
+                    files.append(H.li(H.a(html.escape(p.name), href=href)))
         nodes = []
 
         if parent is not None: