jQuery File Upload - blueimp filenames with special characters

Question

Some of my users will attach files with names that contain special characters which are problematic for the utility when downloading and uploading, single quotes, spaces, etc. This seems like it should be a simple problem to address but since I'm a "greenie" when coding I could use some help.

I've tried modifying the 'UploadHandler.php' functions to manipulate the file name with no success. I'm not sure if I need to address it at the input level on the form or on the upload...

My last attempt was in the trim_file_name() function:

protected function trim_file_name($name,
        $type = null, $index = null, $content_range = null) {
    // Remove path information and dots around the filename, to prevent uploading
    // into different directories or replacing hidden system files.
    // Also remove control characters and spaces (\x00..\x20) around the filename:
    $name = trim(basename(stripslashes($name)), ".\x00..\x20");
    // Use a timestamp for empty filenames:
    if (!$name) {
        $name = str_replace('.', '-', microtime(true));
        $name = preg_replace('/[^A-Za-z0-9\-]/', '', $name); <==== my attempt
    }
    // Add missing file extension for known image types:
    if (strpos($name, '.') === false &&
        preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches)) {
        $name .= '.'.$matches[1];
    }
    return $name;
}

I could really use some help with this. I'm really frustrated.

Thanks,

Answer 1

I use a couple of functions that have worked well in production to sanitise and clean file names, I'll put them below.

public static function cleanFileName($filename)
{
    $filename = htmlentities($filename, ENT_QUOTES, 'UTF-8');
    $filename = preg_replace('~&([a-z]{1,2})(acute|cedil|circ|grave|lig|orn|ring|slash|th|tilde|uml);~i', '$1', $filename);
    $filename = html_entity_decode($filename, ENT_QUOTES, 'UTF-8');
    $filename = preg_replace(array('~[^0-9a-z]~i', '~[ -]+~'), ' ', $filename);
    return trim($filename, ' -');
}

public static function sanitizeFileName($filename)
{
    $dangerous_characters = array(" ", '"', "'", "&", "/", "\\", "?", "#");
    return str_replace($dangerous_characters, '_', $filename);
}

So once you've copied both those functions to the UploadHandler class, the modified trim_file_name function would look like this:

protected function trim_file_name($name,
    $type = null, $index = null, $content_range = null) {
// Remove path information and dots around the filename, to prevent uploading
// into different directories or replacing hidden system files.
// Also remove control characters and spaces (\x00..\x20) around the filename:
$name = trim(basename(stripslashes($name)), ".\x00..\x20");

// Use a timestamp for empty filenames:
if (!$name) {
    $name = str_replace('.', '-', microtime(true));
}
// Add missing file extension for known image types:
if (strpos($name, '.') === false &&
    preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches)) {
    $name .= '.'.$matches[1];
}
// Call sanitize file name function
$name = UploadHandler::sanitizeFileName($name);
// Call clean file name function
$name = UploadHandler::cleanFileName($name);
return $name;
}

Answer 2

Adam: "Extremely close! The filename is being modifed correctly but appears to adding the file extension as part of the file name, eg My'File.jpg = My File jpg.jpg Any ideas?"

I had same issue, i just fixed the function cleanFileName() ... you should add a dot "." to the last preg_replace function:

this line:

$filename = preg_replace(array('~[^0-9a-z]~i', '~[ -]+~'), ' ', $filename);

should be:

$filename = preg_replace(array('~[^0-9.a-z]~i'),'',$filename);

so the dot is not removed by the regular expression.

public static function cleanFileName($filename)
{

    $filename = htmlentities($filename, ENT_QUOTES, 'UTF-8');
    $filename = preg_replace('~&([a-z]{1,2})(acute|cedil|circ|grave|lig|orn|ring|slash|th|tilde|uml);~i', '$1', $filename);
    $filename = html_entity_decode($filename, ENT_QUOTES, 'UTF-8');
    $filename = preg_replace(array('~[^0-9.a-z]~i'),'',$filename);


    return trim($filename, ' -');
}