be even stricter with ?hc

2025-08-17 09:02:15 -06:00 · 2023-07-23 13:23:52 +00:00 · 2023-07-23 13:23:52 +00:00 · 490c16b01d
parent 2437a4e864
commit 490c16b01d
1 changed files with 4 additions and 2 deletions
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -3008,8 +3008,10 @@ class HttpCli(object):
            else self.conn.hsrv.nm.map(self.ip) or host
        )
        # safer than html_escape/quotep since this avoids both XSS and shell-stuff
-        pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw")
-        vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/")
+        pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "pw")
+        vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/")
+        pw = pw.replace(" ", "%20")
+        vp = vp.replace(" ", "%20")
        html = self.j2s(
            "svcs",
            args=self.args,