File browser breaking due to special character in file name #296

New Issue

OVERLORD · 2026-02-05T17:23:49+03:00

OVERLORD commented

2026-02-05 17:23:49 +03:00

Originally created by @nzxl101 on GitHub (Apr 3, 2025).

Originally assigned to: @rmartinoscar on GitHub.

Current Behavior

When uploading a file through URL that contains special characters e.g. a quotation mark, the whole file browser will stop working until the file has been deleted through SFTP.

Expected Behavior

Be able to upload files with special characters by properly escaping/or removing them.

Steps to Reproduce

Go to Files
Upload
Upload from URL/or local
URL input: https://mediafilez.forgecdn.net/files/5317/51/Sneak%27s%20RPG%20Pack%20SERVER.zip

Panel Version

1.0.0-beta18

Wings Version

1.0.0-beta10

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

Is there an existing issue for this?

I have searched the existing issues before opening this issue.
I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.

Originally created by @nzxl101 on GitHub (Apr 3, 2025). Originally assigned to: @rmartinoscar on GitHub. ### Current Behavior When uploading a file through URL that contains special characters e.g. a quotation mark, the whole file browser will stop working until the file has been deleted through SFTP. ### Expected Behavior Be able to upload files with special characters by properly escaping/or removing them. ### Steps to Reproduce 1. Go to Files 2. Upload 3. Upload from URL/or local 4. URL input: https://mediafilez.forgecdn.net/files/5317/51/Sneak%27s%20RPG%20Pack%20SERVER.zip ### Panel Version 1.0.0-beta18 ### Wings Version 1.0.0-beta10 ### Games and/or Eggs Affected _No response_ ### Docker Image _No response_ ### Error Logs ```bash ``` ### Is there an existing issue for this? - [x] I have searched the existing issues before opening this issue. - [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server. - [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.

OVERLORD added the 🟡 medium label 2026-02-05 17:23:49 +03:00

OVERLORD closed this issue

2026-02-05 17:23:50 +03:00

OVERLORD commented

2026-02-05 17:23:52 +03:00

@rmartinoscar commented on GitHub (Apr 3, 2025):

Hey please provide more logs, i just tried Upload > From URL and i get

DEBUG: [Apr  3 15:30:53.577] writing remote file to disk path=/Sneak's RPG Pack SERVER.zip server=ed4f088e-18d6-4b36-a691-0f145399d1e5
DEBUG: [Apr  3 15:30:57.126] GET /api/system/utilization client_ip=127.0.0.1 latency=1.232498ms request_id=18a37ae0-152b-44a2-ba12-bf4d0c458a05 status=200
INFO: [Apr  3 15:30:59.822] completed pull of remote file download_id=c4e4dfbb-f53a-4d59-8b04-360a74baecc2 server=ed4f088e-18d6-4b36-a691-0f145399d1e5
DEBUG: [Apr  3 15:31:03.296] GET /api/system/utilization client_ip=127.0.0.1 latency=1.192242ms request_id=e65eded6-473b-4165-a21b-c70529b61a70 status=200
DEBUG: [Apr  3 15:31:03.700] GET /api/servers/ed4f088e-18d6-4b36-a691-0f145399d1e5/files/list-directory?directory=%2F client_ip=127.0.0.1 latency=264.776µs request_id=d75c4ae9-9f09-40db-bc7e-91f3ba916714 status=200

@rmartinoscar commented on GitHub (Apr 3, 2025): Hey please provide more logs, i just tried Upload > From URL and i get ![Image](https://github.com/user-attachments/assets/fca03e85-ef73-4898-872e-4ffe42c48e47) ``` DEBUG: [Apr 3 15:30:53.577] writing remote file to disk path=/Sneak's RPG Pack SERVER.zip server=ed4f088e-18d6-4b36-a691-0f145399d1e5 DEBUG: [Apr 3 15:30:57.126] GET /api/system/utilization client_ip=127.0.0.1 latency=1.232498ms request_id=18a37ae0-152b-44a2-ba12-bf4d0c458a05 status=200 INFO: [Apr 3 15:30:59.822] completed pull of remote file download_id=c4e4dfbb-f53a-4d59-8b04-360a74baecc2 server=ed4f088e-18d6-4b36-a691-0f145399d1e5 DEBUG: [Apr 3 15:31:03.296] GET /api/system/utilization client_ip=127.0.0.1 latency=1.192242ms request_id=e65eded6-473b-4165-a21b-c70529b61a70 status=200 DEBUG: [Apr 3 15:31:03.700] GET /api/servers/ed4f088e-18d6-4b36-a691-0f145399d1e5/files/list-directory?directory=%2F client_ip=127.0.0.1 latency=264.776µs request_id=d75c4ae9-9f09-40db-bc7e-91f3ba916714 status=200 ```

OVERLORD commented

2026-02-05 17:23:53 +03:00

@nzxl101 commented on GitHub (Apr 3, 2025):

Hi,
It's not an issue with the upload process itself but rather a client side bug that breaks the JavaScript and renders the file browser unusable. You can't edit/delete/replace any files after such a file has been uploaded

@nzxl101 commented on GitHub (Apr 3, 2025): Hi, It's not an issue with the upload process itself but rather a client side bug that breaks the JavaScript and renders the file browser unusable. You can't edit/delete/replace any files after such a file has been uploaded ![Image](https://github.com/user-attachments/assets/9dc47b6b-4677-4b43-a798-d721b9040c17)

OVERLORD commented

2026-02-05 17:23:54 +03:00

@rmartinoscar commented on GitHub (Apr 3, 2025):

Oh i see you can't do any action now, I'll investigate.

@rmartinoscar commented on GitHub (Apr 3, 2025): Oh i see you can't do any action now, I'll investigate.

OVERLORD commented

2026-02-05 17:23:55 +03:00

@weeaudi commented on GitHub (Apr 26, 2025):

This is also potentially a security vulnerability. Because of this issue, I am not 100% sure if it was possible to embed JS into the file name running code on anyone who visited the files page

@weeaudi commented on GitHub (Apr 26, 2025): This is also potentially a security vulnerability. Because of this issue, I am not 100% sure if it was possible to embed JS into the file name running code on anyone who visited the files page

OVERLORD referenced this issue

2026-02-05 17:51:00 +03:00

[PR #296] [MERGED] Added 2 badges to readme.md #672

Sign in to join this conversation.

Branches Tags

main

boy132/composer-update

boy132/reorderable-egg-stuff

boy132/replace-hardcoded-hex-strings

boy132/backup-notifications

boy132/backup-hosts

shift-2026-04

charles/filament-v5

release/v1.0.0-beta33

release/v1.0.0-beta32

lance/1228

lance/2026

lance/1022

lance/1585

lance/2163

charles/spotlight

charles/ex-im-servers

auto-claude/022-docker-image-links-plugin-dir-wrong

auto-claude/022-docker-image-links-plugin-dir-wrong-clean

release/v1.0.0-beta31

auto-claude/005-run-unit-tests-in-parallel

charles/new-activitylog

release/v1.0.0-beta30

release/v1.0.0-beta29

release/v1.0.0-beta28

release/v1.0.0-beta27

release/v1.0.0-beta26

release/v1.0.0-beta25

release/v1.0.0-beta24

release/v1.0.0-beta23

release/v1.0.0-beta22

release/v1.0.0-beta21

release/v1.0.0-beta20

release/v1.0.0-beta19

release/v1.0.0-beta18

release/v1.0.0-beta17

release/v1.0.0-beta16

release/v1.0.0-beta15

release/v1.0.0-beta14

release/v1.0.0-beta13

release/v1.0.0-beta11

release/v1.0.0-beta10

release/v1.0.0-beta9

release/v1.0.0-beta8

release/v1.0.0-beta7

release/v1.0.0-beta6

release/v1.0.0-beta5

release/v1.0.0-beta4

release/v1.0.0-beta3

release/v1.0.0-beta2

release/v1.0.0-beta1

3.x

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#296