fix: Improved path escaping

This commit is contained in:
Daniel Kempkens 2023-05-18 20:20:45 +02:00
parent 8c623afd31
commit 64b189ab23
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
3 changed files with 9 additions and 4 deletions

View file

@ -138,7 +138,12 @@ defmodule BdfrBrowser.HTTP.Plug do
defp media_path(full_path) do
base_directory = Application.fetch_env!(:bdfr_browser, :base_directory)
String.replace(full_path, "#{base_directory}/", "/media/")
full_path
|> String.replace("#{base_directory}/", "/media/")
|> String.split("/")
|> Enum.map(fn p -> URI.encode(p, &URI.char_unreserved?/1) end)
|> Enum.join("/")
end
defp mime_from_ext(path) do

View file

@ -27,7 +27,7 @@
<div class="carousel-inner">
<%= for {img, i} <- Enum.with_index(media.images) do %>
<div class="carousel-item <%= if i == 0, do: "active" %>">
<img src="<%= URI.encode(img) %>" class="d-block w-100">
<img src="<%= img %>" class="d-block w-100">
</div>
<% end %>
</div>
@ -48,7 +48,7 @@
<div class="row">
<%= for video <- media.videos do %>
<video controls loop>
<source src="<%= URI.encode(video) %>" type="video/mp4">
<source src="<%= video %>" type="video/mp4">
</video>
<% end %>
</div>

View file

@ -19,7 +19,7 @@
<%= for post <- posts do %>
<div class="card">
<div class="card-body">
<h5 class="card-title"><a href="/r/<%= subreddit %>/<%= date %>/<%= URI.encode(post.filename) %>"><%= post.title %></a></h5>
<h5 class="card-title"><a href="/r/<%= subreddit %>/<%= date %>/<%= URI.encode(post.filename, &URI.char_unreserved?/1) %>"><%= post.title %></a></h5>
<h6 class="card-subtitle mb-2 text-body-secondary">
<%= post.num_comments %> comment(s) - <%= trunc(post.created_utc) |> DateTime.from_unix!() |> DateTime.to_iso8601() %>
</h6>