From ac4e6d49cac0210448c98d491dedcc832089e786 Mon Sep 17 00:00:00 2001
From: Nathan Haug <quicksketch@35821.no-reply.drupal.org>
Date: Thu, 17 Jun 2010 00:07:06 +0000
Subject: [PATCH] Sanitizing file names before output in tokens and formatters.

---
 filefield.token.inc     |    6 +++---
 filefield_formatter.inc |   19 ++++++++++++++++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/filefield.token.inc b/filefield.token.inc
index 97d3f68..b2e4b70 100644
--- a/filefield.token.inc
+++ b/filefield.token.inc
@@ -38,9 +38,9 @@ function filefield_token_values($type, $object = NULL) {
   if ($type == 'field' && isset($object[0]['fid'])) {
     $item = $object[0];
     $tokens['filefield-fid']                = $item['fid'];
-    $tokens['filefield-description']        = isset($item['data']['description']) ? $item['data']['description'] : '';
-    $tokens['filefield-filename']           = $item['filename'];
-    $tokens['filefield-filepath']           = $item['filepath'];
+    $tokens['filefield-description']        = isset($item['data']['description']) ? check_plain($item['data']['description']) : '';
+    $tokens['filefield-filename']           = check_plain($item['filename']);
+    $tokens['filefield-filepath']           = check_plain($item['filepath']);
     $tokens['filefield-filemime']           = $item['filemime'];
     $tokens['filefield-filesize']           = $item['filesize'];
     $tokens['filefield-filesize_formatted'] = format_size($item['filesize']);
diff --git a/filefield_formatter.inc b/filefield_formatter.inc
index e866d1e..9c0ea16 100644
--- a/filefield_formatter.inc
+++ b/filefield_formatter.inc
@@ -39,8 +39,7 @@ function theme_filefield_formatter_path_plain($element) {
   if (empty($item['filepath']) && !empty($item['fid'])) {
     $item = array_merge($item, field_file_load($item['fid']));
   }
-
-  return empty($item['filepath']) ? '' : file_create_path($item['filepath']);
+  return empty($item['filepath']) ? '' : check_plain(file_create_path($item['filepath']));
 }
 
 /**
@@ -63,7 +62,21 @@ function theme_filefield_formatter_url_plain($element) {
     $item = array_merge($item, field_file_load($item['fid']));
   }
 
-  return empty($item['filepath']) ? '' : file_create_url($item['filepath']);
+  if (empty($item['filepath'])) {
+    return '';
+  }
+
+  // Encode the parts of the path to ensure URLs operate within href attributes.
+  // Private file paths are urlencoded for us inside of file_create_url().
+  if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PUBLIC) {
+    $parts = explode('/', $item['filepath']);
+    foreach ($parts as $index => $part) {
+      $parts[$index] = rawurlencode($part);
+    }
+    $item['filepath'] = implode('/', $parts);
+  }
+
+  return file_create_url($item['filepath']);
 }
 
 /**
-- 
1.7.4.1