Add field name escape

See: https://andreubotella.github.io/multipart-form-data/#escape-a-multipart-form-data-name

Author: octet-stream

lib/Encoder.ts

@@ -1,4 +1,5 @@
 import createBoundary from "./util/createBoundary"
+import escape from "./util/escapeName"
 import isFormData from "./util/isFormData"
 import isFile from "./util/isFile"
 
@@ -96,10 +97,10 @@ export class Encoder {
     let header = ""
 
     header += `${this.#DASHES}${this.boundary}${this.#CRLF}`
-    header += `Content-Disposition: form-data; name="${name}"`
+    header += `Content-Disposition: form-data; name="${escape(name)}"`
 
     if (isFile(value)) {
-      header += `; filename="${value.name}"${this.#CRLF}`
+      header += `; filename="${escape(value.name)}"${this.#CRLF}`
       header += `Content-Type: ${value.type || "application/octet-stream"}`
     }
 

lib/util/escapeName.test.ts

@@ -0,0 +1,31 @@
+import test from "ava"
+
+import escapeName from "./escapeName"
+
+const CR = "%0D"
+const LF = "%0A"
+const Q = "%22"
+
+test("Escapes all the CRs in the name", t => {
+  t.is<string>(escapeName("\rna\rme\r"), `${CR}na${CR}me${CR}`)
+})
+
+test("Keeps escaped CR as is", t => {
+  const expected = `name${CR}`
+
+  t.is<string>(escapeName(expected), expected)
+})
+
+test("Escapes all the LFs in the name", t => {
+  t.is<string>(escapeName("nam\ne\n"), `nam${LF}e${LF}`)
+})
+
+test("Keeps escaped LF as is", t => {
+  const expected = `name${LF}`
+
+  t.is<string>(escapeName(expected), expected)
+})
+
+test("Escapes all double quotes in the name", t => {
+  t.is<string>(escapeName("\"name\""), `${Q}name${Q}`)
+})

lib/util/escapeName.ts

@@ -0,0 +1,6 @@
+const escapeName = (name: unknown) => String(name)
+  .replace(/\r/g, "%0D") // CR
+  .replace(/\n/g, "%0A") // LF
+  .replace(/"/g, "%22")
+
+export default escapeName