diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 9e346db7109aca75bdec10b6a01dd5418a50d27e..a6efd082ae59f52003ae7af321be0157aad070d8 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -1520,7 +1520,8 @@ public class I2PSnarkServlet extends BasicServlet {
// Can't figure out how to escape double quotes inside the onclick string.
// Single quotes in translate strings with parameters must be doubled.
// Then the remaining single quote must be escaped
- out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?", snark.getName()));
+ out.write(_("Are you sure you want to delete the file \\''{0}\\'' (downloaded data will not be deleted) ?",
+ escapeJSString(snark.getName())));
out.write("')) { return false; }\"");
out.write(" src=\"" + _imgPath + "remove.png\" alt=\"");
out.write(_("Remove"));
@@ -1540,7 +1541,8 @@ public class I2PSnarkServlet extends BasicServlet {
// Can't figure out how to escape double quotes inside the onclick string.
// Single quotes in translate strings with parameters must be doubled.
// Then the remaining single quote must be escaped
- out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?", fullBasename));
+ out.write(_("Are you sure you want to delete the torrent \\''{0}\\'' and all downloaded data?",
+ escapeJSString(fullBasename)));
out.write("')) { return false; }\"");
out.write(" src=\"" + _imgPath + "delete.png\" alt=\"");
out.write(_("Delete"));
@@ -1652,6 +1654,20 @@ public class I2PSnarkServlet extends BasicServlet {
}
}
+ /**
+ * Make it JS and HTML-safe
+ * @since 0.9.15
+ * http://stackoverflow.com/questions/8749001/escaping-html-entities-in-javascript-string-literals-within-the-script-block
+ */
+ private static String escapeJSString(String s) {
+ return s.replace("\\", "\\u005c")
+ .replace("<", "\\u003c")
+ .replace(">", "\\u003e")
+ .replace("\"", "\\u0022")
+ .replace("'", "\\u0027")
+ .replace("&", "\\u0026");
+ }
+
/**
* Get version from bytes 3-6
* @return " w.x.y.z" or ""
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
index 10f33b022774d7e360e1f23959da868b96233ffd..858b9aec8d9472a04cdeebbab718ac86af2a1892 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/URIUtil.java
@@ -85,6 +85,8 @@ class URIUtil
case '>':
case ' ':
case ':':
+ case '[':
+ case ']':
buf=new StringBuilder(path.length()*2);
break loop;
default:
@@ -143,6 +145,12 @@ class URIUtil
case ':':
buf.append("%3A");
continue;
+ case '[':
+ buf.append("%5B");
+ continue;
+ case ']':
+ buf.append("%5D");
+ continue;
default:
if (c <= 0x1f) // includes negative
toHex(c,buf);
@@ -190,6 +198,12 @@ class URIUtil
case ':':
buf.append("%3A");
continue;
+ case '[':
+ buf.append("%5B");
+ continue;
+ case ']':
+ buf.append("%5D");
+ continue;
default:
if (c <= 0x1f || (c >= 0x7f && c <= 0x9f) || Character.isSpaceChar(c))
toHex(c,buf);
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 421ff4f630110e645f24b485d06a7151f306e1cd..098e16d499456339b4699536706ff45ebf0c4769 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 16;
+ public final static long BUILD = 17;
/** for example "-test" */
public final static String EXTRA = "-rc";