From c734e13753bd50572a7e5de290c9568d37aea7e6 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Mon, 26 Nov 2018 00:17:29 +0100
Subject: [PATCH] Escape pinned file names

---
 plugins/OptionalManager/UiWebsocketPlugin.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/OptionalManager/UiWebsocketPlugin.py b/plugins/OptionalManager/UiWebsocketPlugin.py
index 9340d385..6d5f5076 100644
--- a/plugins/OptionalManager/UiWebsocketPlugin.py
+++ b/plugins/OptionalManager/UiWebsocketPlugin.py
@@ -212,7 +212,7 @@ class UiWebsocketPlugin(object):
         num_file = len(inner_path)
         if back == "ok":
             if num_file == 1:
-                self.cmd("notification", ["done", _["Pinned %s"] % helper.getFilename(inner_path[0]), 5000])
+                self.cmd("notification", ["done", _["Pinned %s"] % cgi.escape(helper.getFilename(inner_path[0])), 5000])
             else:
                 self.cmd("notification", ["done", _["Pinned %s files"] % num_file, 5000])
         self.response(to, back)
@@ -224,7 +224,7 @@ class UiWebsocketPlugin(object):
         num_file = len(inner_path)
         if back == "ok":
             if num_file == 1:
-                self.cmd("notification", ["done", _["Removed pin from %s"] % helper.getFilename(inner_path[0]), 5000])
+                self.cmd("notification", ["done", _["Removed pin from %s"] % cgi.escape(helper.getFilename(inner_path[0])), 5000])
             else:
                 self.cmd("notification", ["done", _["Removed pin from %s files"] % num_file, 5000])
         self.response(to, back)