From fbbdf9ea01c0bf10c62bcea8059cbebb8f793151 Mon Sep 17 00:00:00 2001
From: Darshit Shah <darnir@gnu.org>
Date: Tue, 16 May 2023 18:33:40 +0200
Subject: [PATCH] Ensure that spaces are quoted when converting links

* src/convert.c(convert_links): Print the actual quoted newname when printing DEBUG output
  (local_quote_string): Also quote the ' ' charcter as %20. While it is okay
  to leave the characted as-is, quoting it covers more edge cases.
  And it should resolve a >10 year old bug with CSS url() parameters not being quoted

Bug-Id: 64082
Reported-By: Ethan Gibbs <ethan@snowsign.net>
Discussed-At: https://stackoverflow.com/q/13300017
---
 src/convert.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index b934d49b..24fa32f1 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -321,7 +321,7 @@ convert_links (const char *file, struct urlpos *links)
                                              link->refresh_timeout);
 
             DEBUGP (("TO_RELATIVE: %s to %s at position %d in %s.\n",
-                     link->url->url, newname, link->pos, file));
+                     link->url->url, quoted_newname, link->pos, file));
 
             xfree (newname);
             xfree (quoted_newname);
@@ -342,7 +342,7 @@ convert_links (const char *file, struct urlpos *links)
                                              link->refresh_timeout);
 
             DEBUGP (("Converted file part only: %s to %s at position %d in %s.\n",
-                     link->url->url, newname, link->pos, file));
+                     link->url->url, quoted_newname, link->pos, file));
 
             xfree (newname);
             xfree (quoted_newname);
@@ -365,7 +365,7 @@ convert_links (const char *file, struct urlpos *links)
                                              link->refresh_timeout);
 
             DEBUGP (("TO_COMPLETE: <something> to %s at position %d in %s.\n",
-                     newlink, link->pos, file));
+                     quoted_newlink, link->pos, file));
 
             xfree (quoted_newlink);
             ++to_url_count;
@@ -731,7 +731,11 @@ find_fragment (const char *beg, int size, const char **bp, const char **ep)
    safe for both local and HTTP-served browsing.
 
    We always quote "#" as "%23", "%" as "%25" and ";" as "%3B"
-   because those characters have special meanings in URLs.  */
+   because those characters have special meanings in URLs.
+
+   Additionally we always quote ' ' as "%20" since not quoting it
+   is illegal in CSS url()s and quoting it should not harm any
+   local browsing.  */
 
 static char *
 local_quote_string (const char *file, bool no_html_quote)
@@ -741,7 +745,7 @@ local_quote_string (const char *file, bool no_html_quote)
   char buf[1024];
   size_t tolen;
 
-  char *any = strpbrk (file, "?#%;");
+  char *any = strpbrk (file, "?#%; ");
   if (!any)
     return no_html_quote ? strdup (file) : html_quote_string (file);
 
@@ -771,6 +775,11 @@ local_quote_string (const char *file, bool no_html_quote)
         *to++ = '3';
         *to++ = 'B';
         break;
+      case ' ':
+        *to++ = '%';
+        *to++ = '2';
+        *to++ = '0';
+        break;
       case '?':
         if (opt.adjust_extension)
           {