From 807e1245708165ff9f589f4cc3b83c11cf0f4b58 Mon Sep 17 00:00:00 2001
From: dreamer <dreamer@puikheid.nl>
Date: Tue, 31 Mar 2026 11:16:28 +0200
Subject: [PATCH] properly handle escaping of paths

---
 code/handlers/roothandler.lua |  3 ++-
 code/hotmixes/utils.lua       | 18 +++++-------------
 code/views/root.etlua         |  6 +++---
 3 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/code/handlers/roothandler.lua b/code/handlers/roothandler.lua
index c89673a..9ff4970 100644
--- a/code/handlers/roothandler.lua
+++ b/code/handlers/roothandler.lua
@@ -11,13 +11,14 @@ local function Roothandler(self)
     local latest_path, latest_name = hotmixes.utils.these_latest( path )
 
     self.total = hotmixes.utils.total_files_dir( path )
-    self.uri = hotmixes.utils.request_path
+    self.uri = hotmixes.utils.request_path:sub(2) -- remove leading slash
     self.path = '/data/' .. self.titles.url .. hotmixes.utils.request_path
     self.dirs = stuff.dirs
     self.files = stuff.files
     self.images = stuff.images
     self.latestpath = latest_path
     self.latestname = latest_name
+    self.functions = { escape = escape }
 
     if self.titles['url'] == "panamaracing.club" then
         return { render = "root", layout = require "views.prc_layout" }
diff --git a/code/hotmixes/utils.lua b/code/hotmixes/utils.lua
index 1be42c8..4361468 100644
--- a/code/hotmixes/utils.lua
+++ b/code/hotmixes/utils.lua
@@ -15,7 +15,7 @@ end
 
 local request_path
 if request_uri ~= '/' then
-    request_path = request_uri .. '/'
+    request_path = request_uri  .. '/'
 else
     request_path = request_uri
 end
@@ -30,14 +30,6 @@ local type_allowed = { jpg=true, jpeg=true, png=true, gif=true, mp3=true, flac=t
 
 local utils =  {}
 
-utils['compare_file'] = function(a, b)
-  return a["file"] < b["file"]
-end
-
-utils['compare_dir'] = function(a, b)
-  return a["dir"] < b["dir"]
-end
-
 utils['request_path'] = request_path
 utils['data_path'] = data_path
 
@@ -72,17 +64,17 @@ utils['these_files'] = function( path )
                 if utils.match_ext( file, type_image ) then
                     table.insert( images, file )
                 elseif utils.match_ext( file, type_media ) then
-                    table.insert( files, {sane=escape(file), file=file} )
+                    table.insert( files, file )
                 end
             elseif lfs.attributes( path .. file, "mode" ) == "directory" then
-                table.insert( dirs, {sane=escape(file), dir=file} )
+                table.insert( dirs, file )
             end
         end
     end
 
     table.sort( images )
-    table.sort( files, utils.compare_file )
-    table.sort( dirs, utils.compare_dir )
+    table.sort( files )
+    table.sort( dirs )
 
     local stuff = {
         files = files,
diff --git a/code/views/root.etlua b/code/views/root.etlua
index 7c3dcbe..bed1cb5 100644
--- a/code/views/root.etlua
+++ b/code/views/root.etlua
@@ -10,14 +10,14 @@
 
 <% for i, dir in ipairs(dirs) do %>
     <br>
-        <a href="<%= uri .. dir["sane"] %>" class="djsection"><span><%= dir["dir"] %></span></a>
+        <a href="<%- functions.escape(uri .. dir) %>" class="djsection"><span><%= dir %></span></a>
     <br>
 <% end %>
     <br>
 
 <% for i, file in ipairs(files) do %>
-    <a class="amixlink" href="<%= path .. file["sane"] %>">
-        <span class="mixlink"><%= file["file"] %></span>
+    <a class="amixlink" href="<%- functions.escape(path .. file) %>">
+        <span class="mixlink"><%= file %></span>
     </a>
     <br>
 <% end %>