Escape single quotes in URL

On Unix, we escape the URL argument by surrounding it with single
quotes. This fails if the URL contains single quotes. It also fails if
the `BROWSER` command contains `%s` not surrounded by single quotes.

Fix this by escaping the single quotes. We might also want to look into
passing the `BROWSER` command and arguments into `exec.Command` directly
instead of through `/bin/sh` and checking if that has an automatic
escaping mechanism we can take advantage of.

3 files changed, 12 insertions, 1 deletions

diff --git a/browserenv.go b/browserenv.go
index 3f463a2..4ff70a4 100644
--- a/browserenv.go
+++ b/browserenv.go
@@ -77,6 +77,8 @@ func browserCommand(command, url string) *exec.Cmd {
 	shell := shellArgs[0]
 	args := shellArgs[1:]
 
+	url = escapeURL(url)
+
 	if browserCommandIncludesURL(command) {
 		command = fmtWithURL(command, url)
 	} else {
@@ -96,3 +98,7 @@ func fmtWithURL(command, url string) string {
 	// TODO: shellescape URL
 	return strings.ReplaceAll(command, "%s", url)
 }
+
+func escapeURL(url string) string {
+	return strings.ReplaceAll(url, "'", "%27")
+}
diff --git a/browserenv_unix.go b/browserenv_unix.go
index e09bd10..e6416f8 100644
--- a/browserenv_unix.go
+++ b/browserenv_unix.go
@@ -21,6 +21,5 @@ func shell() (args []string) {
 // TODO
 func fmtBrowserCommand(browser, url string) string {
 	// TODO: handle %s in browser command
-	// TODO: handle single quotes in URL
 	return fmt.Sprintf("%s '%s'", browser, url)
 }
diff --git a/browserenv_unix_test.go b/browserenv_unix_test.go
index f49444e..0d61a52 100644
--- a/browserenv_unix_test.go
+++ b/browserenv_unix_test.go
@@ -33,6 +33,12 @@ func TestBrowserCommand(t *testing.T) {
 			"https://duckduckgo.com",
 			"open -a Firefox https://duckduckgo.com --other-arg",
 		},
+		{
+			"escapes single quotes in URL",
+			"open -a Firefox",
+			"https://duckduckgo.com/?q='s-Hertogenbosch",
+			"open -a Firefox 'https://duckduckgo.com/?q=%27s-Hertogenbosch'",
+		},
 	}
 
 	for _, test := range tests {