Escape mailbox names in URLs

Closes: https://todo.sr.ht/~sircmpwn/koushin/14
4 years ago · a4729060be
--- a/public/mailbox.html
+++ b/public/mailbox.html
@@ -11,14 +11,14 @@
 <p>Mailboxes:</p>
 <ul>
 	{{range .Mailboxes}}
 		<li><a href="/mailbox/{{.Name}}">{{.Name}}</a></li>
 		<li><a href="/mailbox/{{.Name | pathescape}}">{{.Name}}</a></li>
 	{{end}}
 </ul>

 <p>Messages:</p>
 <ul>
 	{{range .Messages}}
 		<li><a href="/message/{{$.Mailbox.Name}}/{{.Uid}}?part={{.TextPartName}}">
 		<li><a href="/message/{{$.Mailbox.Name | pathescape}}/{{.Uid}}?part={{.TextPartName}}">
 			{{.Envelope.Subject}}
 		</a></li>
 	{{end}}
--- a/public/message.html
+++ b/public/message.html
@@ -3,7 +3,7 @@
 <h1>koushin</h1>

 <p>
 	<a href="/mailbox/{{.Mailbox.Name}}">Back</a>
 	<a href="/mailbox/{{.Mailbox.Name | pathescape}}">Back</a>
 </p>

 <h2>{{.Message.Envelope.Subject}}</h2>
--- a/server.go
+++ b/server.go
@@ -142,7 +142,10 @@ func handleLogin(ectx echo.Context) error {
 }

 func handleGetPart(ctx *context, raw bool) error {
 	mboxName := ctx.Param("mbox")
 	mboxName, err := url.PathUnescape(ctx.Param("mbox"))
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err)
 	}
 	uid, err := parseUid(ctx.Param("uid"))
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err)
@@ -312,6 +315,11 @@ func New(imapURL, smtpURL string) *echo.Echo {
 	e.GET("/mailbox/:mbox", func(ectx echo.Context) error {
 		ctx := ectx.(*context)

 		mboxName, err := url.PathUnescape(ctx.Param("mbox"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, err)
 		}

 		var mailboxes []*imap.MailboxInfo
 		var msgs []imapMessage
 		var mbox *imap.MailboxStatus
@@ -320,7 +328,7 @@ func New(imapURL, smtpURL string) *echo.Echo {
 			if mailboxes, err = listMailboxes(c); err != nil {
 				return err
 			}
 			if msgs, err = listMessages(c, ctx.Param("mbox")); err != nil {
 			if msgs, err = listMessages(c, mboxName); err != nil {
 				return err
 			}
 			mbox = c.Mailbox()
--- a/template.go
+++ b/template.go
@@ -3,6 +3,7 @@ package koushin
 import (
 	"html/template"
 	"io"
 	"net/url"

 	"github.com/labstack/echo/v4"
 )
@@ -20,6 +21,9 @@ func loadTemplates() (*tmpl, error) {
 		"tuple": func(values ...interface{}) []interface{} {
 			return values
 		},
 		"pathescape": func(s string) string {
 			return url.PathEscape(s)
 		},
 	}).ParseGlob("public/*.html")
 	return &tmpl{t}, err
 }