From f477d37e6e60432f3d8e04a8da99d9afe28f36d4 Mon Sep 17 00:00:00 2001
From: Kent Delante <kent@delante.me>
Date: Thu, 23 Apr 2026 22:51:07 +0800
Subject: [PATCH] fix(files): escape html entities in dav search requests

Signed-off-by: Kent Delante <kent@delante.me>

This fixes a 'xmlParseEntityRef: no name' error returned when
searching in files navigation while in folders with special characters
in the name.
---
 apps/files/src/services/WebDavSearch.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/files/src/services/WebDavSearch.ts b/apps/files/src/services/WebDavSearch.ts
index feb7f30b357..f15904c7fc6 100644
--- a/apps/files/src/services/WebDavSearch.ts
+++ b/apps/files/src/services/WebDavSearch.ts
@@ -10,6 +10,7 @@ import { getCurrentUser } from '@nextcloud/auth'
 import { defaultRootPath, getDavNameSpaces, getDavProperties, resultToNode } from '@nextcloud/files/dav'
 import { getBaseUrl } from '@nextcloud/router'
 import { client } from './WebdavClient.ts'
+import escapeHTML from 'escape-html'
 import logger from '../logger.ts'
 
 export interface SearchNodesOptions {
@@ -56,7 +57,7 @@ export async function searchNodes(query: string, { dir, signal }: SearchNodesOpt
 		 </d:select>
 		 <d:from>
 			 <d:scope>
-				 <d:href>/files/${user.uid}${dir || ''}</d:href>
+				 <d:href>/files/${user.uid}${dir ? escapeHTML(dir) : ''}</d:href>
 				 <d:depth>infinity</d:depth>
 			 </d:scope>
 		 </d:from>