From 9d7ad8967ba7af7e8e273655078f6c7690fd1824 Mon Sep 17 00:00:00 2001
From: Teddy Wing
Date: Sun, 20 Dec 2020 03:04:28 +0100
Subject: Escape single quotes in URL

On Unix, we escape the URL argument by surrounding it with single
quotes. This fails if the URL contains single quotes. It also fails if
the `BROWSER` command contains `%s` not surrounded by single quotes.

Fix this by escaping the single quotes. We might also want to look into
passing the `BROWSER` command and arguments into `exec.Command` directly
instead of through `/bin/sh` and checking if that has an automatic
escaping mechanism we can take advantage of.
---
 browserenv.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'browserenv.go')

diff --git a/browserenv.go b/browserenv.go
index 3f463a2..4ff70a4 100644
--- a/browserenv.go
+++ b/browserenv.go
@@ -77,6 +77,8 @@ func browserCommand(command, url string) *exec.Cmd {
 	shell := shellArgs[0]
 	args := shellArgs[1:]
 
+	url = escapeURL(url)
+
 	if browserCommandIncludesURL(command) {
 		command = fmtWithURL(command, url)
 	} else {
@@ -96,3 +98,7 @@ func fmtWithURL(command, url string) string {
 	// TODO: shellescape URL
 	return strings.ReplaceAll(command, "%s", url)
 }
+
+func escapeURL(url string) string {
+	return strings.ReplaceAll(url, "'", "%27")
+}
-- 
cgit v1.2.3