[fb] Prevent cross site scripting in file and folder names

This takes care of possible xss injection through file and folder names in the File Browser.

apps/filebrowser/src/filebrowser/templates/display.mako

@@ -242,7 +242,10 @@ ${ fb_components.menubar() }
   function getContent (callback) {
     // We don't use the python variable path_enc here since that will 
     // produce a double encoded path after calling the python url function
-    const decodedPath = "${path | n}";
+    // In this case we don't want to sanitize the path for XSS as we want exact match on the actual file name,
+    // so to prevent breaking the page on substitution we enforce a js compatible string by only encoding the backtick
+    // char (`) with a js decode to restore it in case file actually has backtick in the name.
+    const decodedPath = `${path.replace("`", "`") | n}`.replaceAll('`', '`');
     const encodedPath = encodeURIComponent(decodedPath);
     const pathPrefix = "/filebrowser/view=";
     const contentPath = pathPrefix+encodedPath;
@@ -311,7 +314,7 @@ ${ fb_components.menubar() }
     var self = this;
 
     self.goToParentDirectory = function () {
-      huePubSub.publish('open.filebrowserlink', { pathPrefix: "/filebrowser/view=", decodedPath: "${view['dirname'] | n}" });
+      huePubSub.publish('open.filebrowserlink', { pathPrefix: "/filebrowser/view=", decodedPath: "${view['dirname'] | n, h}" });
     }
 
     self.changePage = function () {
@@ -379,8 +382,8 @@ ${ fb_components.menubar() }
     self.editFile = function() {
       self.isViewing(false);
       self.isLoading(true);
-      
-      const encodedPath = encodeURIComponent("${path | n}");      
+
+      const encodedPath = encodeURIComponent("${path | n, h}");
       $.ajax({
         url: '/filebrowser/edit=' + encodedPath + '?is_embeddable=true',
         beforeSend:function (xhr) {
@@ -403,7 +406,7 @@ ${ fb_components.menubar() }
     }
 
     self.downloadFile = function () {
-      huePubSub.publish('open.filebrowserlink', { pathPrefix: "/filebrowser/download=", decodedPath:  "${path | n}" });      
+      huePubSub.publish('open.filebrowserlink', { pathPrefix: "/filebrowser/download=", decodedPath:  "${path | n, h}" });
     };
 
     self.pageChanged = function () {

apps/filebrowser/src/filebrowser/templates/fb_components.mako

@@ -16,6 +16,7 @@
 <%!
 import datetime
 import sys
+from desktop.views import _ko
 from desktop.lib.paths import SAFE_CHARACTERS_URI_COMPONENTS
 
 from django.template.defaultfilters import urlencode, stringformat, date, filesizeformat, time
@@ -97,14 +98,14 @@ else:
             <% label, f_url = breadcrumb_item['label'], breadcrumb_item['url'] %>
             %if label[-1] == '/':
             <li><a href="javascript: void(0)" data-bind="click: ()=> {
-              huePubSub.publish('open.filebrowserlink', { pathPrefix: '/filebrowser/view=', decodedPath: `${f_url | n}` });
+              huePubSub.publish('open.filebrowserlink', { pathPrefix: '/filebrowser/view=', decodedPath: '${_ko(f_url) | n, h}' });
               window.hueAnalytics.log('filebrowser', 'file-breadcrumb-navigation');
-              }"><span class="divider">${label}</span></a></li>              
+              }"><span class="divider">${label | n, h}</span></a></li>
             %else:
             <li><a href="javascript: void(0)" data-bind="click: ()=> {
-              huePubSub.publish('open.filebrowserlink', { pathPrefix: '/filebrowser/view=', decodedPath: `${f_url | n}` });
+              huePubSub.publish('open.filebrowserlink', { pathPrefix: '/filebrowser/view=', decodedPath: '${_ko(f_url) | n, h}' });
               window.hueAnalytics.log('filebrowser', 'file-breadcrumb-navigation');
-              }">${label}</a><span class="divider">/</span></li>              
+              }">${label | n, h}</a><span class="divider">/</span></li>
             %endif
           % endfor
           </ul>