Escape single quotes in URL

On Unix, we escape the URL argument by surrounding it with single quotes. This fails if the URL contains single quotes. It also fails if the `BROWSER` command contains `%s` not surrounded by single quotes. Fix this by escaping the single quotes. We might also want to look into passing the `BROWSER` command and arguments into `exec.Command` directly instead of through `/bin/sh` and checking if that has an automatic escaping mechanism we can take advantage of.
author: Teddy Wing 2020-12-20 03:04:28 +0100
committer: Teddy Wing 2020-12-20 03:16:00 +0100
commit: 9d7ad8967ba7af7e8e273655078f6c7690fd1824 (patch)
tree: 8928b794b0e6492cd5800fcac75b0ddc077dee2f /browserenv.go
parent: 4db1ee53efc7481b689ebee69b5381d63fe59419 (diff)
download: browserenv-9d7ad8967ba7af7e8e273655078f6c7690fd1824.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/browserenv.go b/browserenv.go
index 3f463a2..4ff70a4 100644
--- a/browserenv.go
+++ b/browserenv.go
@@ -77,6 +77,8 @@ func browserCommand(command, url string) *exec.Cmd {
 	shell := shellArgs[0]
 	args := shellArgs[1:]
 
+	url = escapeURL(url)
+
 	if browserCommandIncludesURL(command) {
 		command = fmtWithURL(command, url)
 	} else {
@@ -96,3 +98,7 @@ func fmtWithURL(command, url string) string {
 	// TODO: shellescape URL
 	return strings.ReplaceAll(command, "%s", url)
 }
+
+func escapeURL(url string) string {
+	return strings.ReplaceAll(url, "'", "%27")
+}
author	Teddy Wing	2020-12-20 03:04:28 +0100
committer	Teddy Wing	2020-12-20 03:16:00 +0100
commit	9d7ad8967ba7af7e8e273655078f6c7690fd1824 (patch)
tree	8928b794b0e6492cd5800fcac75b0ddc077dee2f /browserenv.go
parent	4db1ee53efc7481b689ebee69b5381d63fe59419 (diff)
download	browserenv-9d7ad8967ba7af7e8e273655078f6c7690fd1824.tar.bz2