From 45b701801d1357f1d4ccf79415c0bc850894ce2c Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Mon, 5 Dec 2022 19:13:47 +0000
Subject: [PATCH] fix ssdp xml escaping + target url

---
 copyparty/__main__.py   | 2 +-
 copyparty/httpcli.py    | 2 +-
 copyparty/ssdp.py       | 5 +++--
 copyparty/web/svcs.html | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/copyparty/__main__.py b/copyparty/__main__.py
index 572292be..5be22b7c 100755
--- a/copyparty/__main__.py
+++ b/copyparty/__main__.py
@@ -693,7 +693,7 @@ def run_argparse(
     ap2.add_argument("--zs-on", metavar="NICS/NETS", type=u, default="", help="enable zeroconf ONLY on the comma-separated list of subnets and/or interface names/indexes")
     ap2.add_argument("--zs-off", metavar="NICS/NETS", type=u, default="", help="disable zeroconf on the comma-separated list of subnets and/or interface names/indexes")
     ap2.add_argument("--zsv", action="store_true", help="verbose SSDP")
-    ap2.add_argument("--zsl", metavar="PATH", type=u, default="/?hc", help="location to include in the url (or a complete external URL), for example [\033[32mpriv/?pw=hunter2\033[0m] or [\033[32mpriv/?pw=hunter2\033[0m]")
+    ap2.add_argument("--zsl", metavar="PATH", type=u, default="/?hc", help="location to include in the url (or a complete external URL), for example [\033[32mpriv/?pw=hunter2\033[0m] (goes directly to /priv/ with password hunter2) or [\033[32m?hc=priv&pw=hunter2\033[0m] (shows mounting options for /priv/ with password)")
     ap2.add_argument("--zsid", metavar="UUID", type=u, default=uuid.uuid4().urn[4:], help="USN (device identifier) to announce")
 
     ap2 = ap.add_argument_group('FTP options')
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index e616bd77..a4c9e66b 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -839,7 +839,7 @@ class HttpCli(object):
                 "supportedlock": '<D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry>',
             }
             if not isdir:
-                pvs["getcontenttype"] = guess_mime(rp)
+                pvs["getcontenttype"] = html_escape(guess_mime(rp))
                 pvs["getcontentlength"] = str(st.st_size)
 
             for k, v in pvs.items():
diff --git a/copyparty/ssdp.py b/copyparty/ssdp.py
index 40ae5626..ee97820c 100644
--- a/copyparty/ssdp.py
+++ b/copyparty/ssdp.py
@@ -8,7 +8,7 @@ from email.utils import formatdate
 
 from .__init__ import TYPE_CHECKING
 from .multicast import MC_Sck, MCast
-from .util import CachedSet, min_ex
+from .util import CachedSet, min_ex, html_escape
 
 if TYPE_CHECKING:
     from .broker_util import BrokerCli
@@ -73,13 +73,14 @@ class SSDPr(object):
     </device>
 </root>"""
 
+        c = html_escape
         sip, sport = hc.s.getsockname()[:2]
         proto = "https" if self.args.https_only else "http"
         ubase = "{}://{}:{}".format(proto, sip, sport)
         zsl = self.args.zsl
         url = zsl if "://" in zsl else ubase + "/" + zsl.lstrip("/")
         name = "{} @ {}".format(self.args.doctitle, self.args.name)
-        zs = zs.strip().format(ubase, url, name, self.args.zsid)
+        zs = zs.strip().format(c(ubase), c(url), c(name), c(self.args.zsid))
         hc.reply(zs.encode("utf-8", "replace"))
         return False  # close connectino
 
diff --git a/copyparty/web/svcs.html b/copyparty/web/svcs.html
index 943dfc62..70cc5ff4 100644
--- a/copyparty/web/svcs.html
+++ b/copyparty/web/svcs.html
@@ -15,7 +15,7 @@
 <body>
 	<div id="wrap" class="w">
         <div class="cn">
-            <p class="btns"><a href="/">browse files</a> // <a href="/?h">control panel</a></p>
+            <p class="btns"><a href="/{{ vp }}">browse files</a> // <a href="/?h">control panel</a></p>
             <p>or choose your OS for cooler alternatives:</p>
             <div class="ossel">
                 <a id="swin" href="#">Windows</a>