From 0a20b7047849459427987426881b032c661fc2c7 Mon Sep 17 00:00:00 2001
From: Matthias Blankertz <matthias@blankertz.org>
Date: Tue, 27 Jan 2026 18:15:15 +0100
Subject: [PATCH] fix: frontend: Correctly escape filenames in URL parameters

Signed-off-by: Matthias Blankertz <matthias@blankertz.org>
---
 software/frontend/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/software/frontend/index.html b/software/frontend/index.html
index 43de408..4a56059 100644
--- a/software/frontend/index.html
+++ b/software/frontend/index.html
@@ -938,7 +938,7 @@
                     }
                 }
             };
-            xhr.open("POST", `/api/v1/audiofiles?type=file&location=${location}`);
+            xhr.open("POST", `/api/v1/audiofiles?type=file&location=${encodeURIComponent(location)}`);
             xhr.overrideMimeType("audio/mpeg");
             xhr.send(files[0]);
         }
@@ -956,7 +956,7 @@
             const location = selectedNodes.length === 1
                 ? selectedNodes[0].getAttribute('data-path') + '/' + name.value
                 : '/' + name.value;
-            const saveRes = await fetch(`/api/v1/audiofiles?type=directory&location=${location}`,
+            const saveRes = await fetch(`/api/v1/audiofiles?type=directory&location=${encodeURIComponent(location)}`,
                   {method: 'POST'});
             // Reload file list from device
             onShow('refresh');
@@ -973,7 +973,7 @@
             items.sort();
             items.reverse();
             for (const item of items) {
-                const saveRes = await fetch(`/api/v1/audiofiles?location=${item}`,
+                const saveRes = await fetch(`/api/v1/audiofiles?location=${encodeURIComponent(item)}`,
                   {method: 'DELETE'});
                 if (!saveRes.ok) {
                     alert(`Failed to delete item ${item}: ${await saveRes.text()}`);