fix: special characters in album titles

controllers/albumsController.js

@@ -452,7 +452,7 @@ self.edit = async (req, res) => {
       identifier: update.identifier
     })
   } else {
-    return res.json({ success: true, name })
+    return res.json({ success: true, name: utils.unescape(name) })
   }
 }
 

controllers/middlewares/NunjucksRenderer.js

@@ -54,7 +54,8 @@ class NunjucksRenderer {
         resolve(html)
       })
     }).then(html => {
-      res.type('html').send(html)
+      res.header('Content-Type', 'text/html; charset=utf-8')
+      res.send(html)
       return html
     })
   }

controllers/utilsController.js

@@ -292,56 +292,30 @@ self.extname = (filename, lower) => {
   return lower ? str.toLowerCase() : str
 }
 
+const escapeMap = {
+  '&': '&',
+  '"': '"',
+  '\'': ''',
+  '<': '&lt;',
+  '>': '&gt;',
+  '\\': '&#92;'
+}
+
+const escapeRegex = /[&"'<>\\]/g
+
+const unescapeMap = Object.keys(escapeMap).reduce((ret, key) => {
+  ret[escapeMap[key]] = key
+  return ret
+}, {})
+
+const unescapeRegex = /&(amp|quot|#39|lt|gt|#92);/g
+
 self.escape = string => {
-  // MIT License
+  return string.replace(escapeRegex, key => escapeMap[key])
-  // Copyright(c) 2012-2013 TJ Holowaychuk
+}
-  // Copyright(c) 2015 Andreas Lubbe
-  // Copyright(c) 2015 Tiancheng "Timothy" Gu
 
-  if (!string) return string
+self.unescape = string => {
-
+  return string.replace(unescapeRegex, key => unescapeMap[key])
-  const str = String(string)
-  const match = /["'&<>]/.exec(str)
-
-  if (!match) return str
-
-  let escape
-  let html = ''
-  let index = 0
-  let lastIndex = 0
-
-  for (index = match.index; index < str.length; index++) {
-    switch (str.charCodeAt(index)) {
-      case 34: // "
-        escape = '&quot;'
-        break
-      case 38: // &
-        escape = '&amp;'
-        break
-      case 39: // '
-        escape = '&#39;'
-        break
-      case 60: // <
-        escape = '&lt;'
-        break
-      case 62: // >
-        escape = '&gt;'
-        break
-      default:
-        continue
-    }
-
-    if (lastIndex !== index) {
-      html += str.substring(lastIndex, index)
-    }
-
-    lastIndex = index + 1
-    html += escape
-  }
-
-  return lastIndex !== index
-    ? html + str.substring(lastIndex, index)
-    : html
 }
 
 self.stripIndents = string => {

routes/album.js

@@ -23,6 +23,7 @@ routes.get('/a/:identifier', async (req, res) => {
     return errors.handleNotFound(req, res)
   }
 
+  album.name = utils.unescape(album.name)
   const nojs = req.query_parameters.nojs !== undefined
 
   let cacheid
@@ -32,7 +33,8 @@ routes.get('/a/:identifier', async (req, res) => {
 
     const cache = utils.albumRenderStore.get(cacheid)
     if (cache) {
-      return res.type('html').send(cache)
+      res.header('Content-Type', 'text/html; charset=utf-8')
+      return res.send(cache)
     } else if (cache === null) {
       return res.render('album-notice', {
         config,

views/_layout.njk

@@ -22,7 +22,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
 
-    <title>{{ title }}</title>
+    <title>{{ title | safe }}</title>
 
     {% block stylesheets %}
     <!-- Stylesheets -->
@@ -33,7 +33,7 @@
     <!-- Open Graph tags -->
     <meta property="og:url" content="{{ url }}" />
     <meta property="og:type" content="website" />
-    <meta property="og:title" content="{{ title }}" />
+    <meta property="og:title" content="{{ title | safe }}" />
     <meta property="og:description" content="{{ metaDesc or globals.description }}" />
     {%- if metaImage %}
     <meta property="og:image" content="{{ metaImage }}" />
@@ -48,7 +48,7 @@
 
     <!-- Twitter Card tags -->
     <meta name="twitter:card" content="summary_large_image">
-    <meta name="twitter:title" content="{{ title }}">
+    <meta name="twitter:title" content="{{ title | safe }}">
     <meta name="twitter:description" content="{{ metaDesc or globals.description }}">
     {%- if metaImage %}
     <meta name="twitter:image" content="{{ metaImage }}">

views/album-notice.njk

@@ -1,5 +1,5 @@
 {% set metaTitle %}
-{{- album.name | truncate(60, true, '…') -}}
+{{- album.name | safe | truncate(60, true, '…') -}}
 {% endset %}
 {% set metaDesc = album.description | striptags | truncate(200, true, '…') %}
 {% set metaUrl = '/' + album.url %}

views/album.njk

@@ -1,5 +1,5 @@
 {% set metaTitle %}
-{{- album.name | truncate(60, true, '…') + ' – ' + files.length + ' file' + ('s' if files.length !== 1) -}}
+{{- album.name | safe | truncate(60, true, '…') }} - {{ files.length + ' file' + ('s' if files.length !== 1) -}}
 {% endset %}
 {% set metaDesc = album.description | striptags | truncate(200, true, '…') %}
 {% set metaUrl = '/' + album.url %}