From 1c0be052cc581fa326f67d49b5c1f9fb567f473e Mon Sep 17 00:00:00 2001
From: RTLcoil <oleg@rtl.co.il>
Date: Sun, 30 Aug 2020 09:12:46 +0300
Subject: [PATCH] Encode all URI components when building a URL in
 base_api_url()

---
 lib-es5/utils/index.js   | 6 +++++-
 lib/utils/index.js       | 4 +++-
 test/utils/utils_spec.js | 5 +++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib-es5/utils/index.js b/lib-es5/utils/index.js
index acad973a..96168431 100644
--- a/lib-es5/utils/index.js
+++ b/lib-es5/utils/index.js
@@ -969,7 +969,11 @@ function base_api_url() {
 
   var cloudinary = ensureOption(options, "upload_prefix", UPLOAD_PREFIX);
   var cloud_name = ensureOption(options, "cloud_name");
-  return [cloudinary, "v1_1", cloud_name].concat(path).join("/");
+  var encode_path = function encode_path(unencoded_path) {
+    return encodeURIComponent(unencoded_path).replace("'", '%27');
+  };
+  var encoded_path = Array.isArray(path) ? path.map(encode_path) : encode_path(path);
+  return [cloudinary, "v1_1", cloud_name].concat(encoded_path).join("/");
 }
 
 function api_url() {
diff --git a/lib/utils/index.js b/lib/utils/index.js
index e6a8e307..b5f35409 100644
--- a/lib/utils/index.js
+++ b/lib/utils/index.js
@@ -908,7 +908,9 @@ function unsigned_url_prefix(
 function base_api_url(path= [], options = {}) {
   let cloudinary = ensureOption(options, "upload_prefix", UPLOAD_PREFIX);
   let cloud_name = ensureOption(options, "cloud_name");
-  return [cloudinary, "v1_1", cloud_name].concat(path).join("/");
+  let encode_path = unencoded_path => encodeURIComponent(unencoded_path).replace("'", '%27');
+  let encoded_path = Array.isArray(path) ? path.map(encode_path) : encode_path(path);
+  return [cloudinary, "v1_1", cloud_name].concat(encoded_path).join("/");
 }
 
 function api_url(action = 'upload', options = {}) {
diff --git a/test/utils/utils_spec.js b/test/utils/utils_spec.js
index dfa6ffb6..5dd495bc 100644
--- a/test/utils/utils_spec.js
+++ b/test/utils/utils_spec.js
@@ -437,6 +437,11 @@ describe("utils", function () {
         type: "youtube"
       }, `http://res.cloudinary.com/${cloud_name}/image/youtube/http://www.youtube.com/watch%3Fv%3Dd9NF2edxy-M`, {});
     });
+    it('should escape api urls', function () {
+      const folderName = "sub^folder's test";
+      const url = utils.base_api_url(['folders', folderName]);
+      expect(url).to.match(/folders\/sub%5Efolder%27s%20test$/);
+    });
   });
   describe('transformation parameters', function () {
     describe("gravity", function () {