fix(files): RFC 5987 encode Content-Disposition filenames

[waleedlatif1]

Summary

• Downloading files with non-ASCII characters in the name (e.g. em-dash —) returned 500 from /api/files/export/[id] because the Content-Disposition header value isn't valid ISO-8859-1
• Switched broken routes to the existing encodeFilenameForHeader helper (RFC 5987 filename=...; filename*=UTF-8''...); also fixed admin folder/workspace ZIP exports which used sanitizePathSegment (keeps Unicode letters) and had the same latent bug

Type of Change

• Bug fix

Testing

Tested manually — reproduced the 500 in prod logs (Header '17' has invalid value: 'attachment; filename="Linear Pagination Loop — Reference.md"'), audited every Content-Disposition callsite in the app, fixed only the ones whose filename source can contain non-ASCII

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 22, 2026 1:45am

[cursor]

PR Summary

Low Risk
Low risk: changes are limited to Content-Disposition header construction for download/export responses to properly handle non-ASCII filenames, without altering auth, data access, or export payloads.

Overview
Fixes file/folder/workspace export downloads that could 500 when filenames contain non-ASCII characters by switching Content-Disposition to use RFC 5987 encoding via encodeFilenameForHeader.

Exports encodeFilenameForHeader from apps/sim/app/api/files/utils.ts and reuses it in /api/files/export/[id] (markdown + zip) and admin folder/workspace ZIP export routes so generated download filenames are always header-safe.

^{Reviewed by Cursor Bugbot for commit c1f04ed. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a production 500 error on /api/files/export/[id] caused by non-ASCII characters (e.g. em-dash) in filenames being placed verbatim into Content-Disposition headers, which require ISO-8859-1-safe values. The fix exports the existing encodeFilenameForHeader RFC 5987 helper from utils.ts and applies it to the file export and admin ZIP export routes.

• utils.ts: encodeFilenameForHeader is promoted to export, enabling reuse across the three fixed routes.
• files/export/[id]/route.ts: Both the single-file markdown path and the ZIP-with-assets path now use RFC 5987 encoding; safeFilename does not strip Unicode, so these callsites were genuinely broken.
• v1/admin/folders/[id]/export/route.ts and v1/admin/workspaces/[id]/export/route.ts: sanitizePathSegment intentionally preserves Unicode letters, so the old bare filename=\"...\" header could break on any folder/workspace with a non-ASCII name.

Confidence Score: 5/5

Safe to merge — the change is narrow, touches only Content-Disposition header construction, and uses a battle-tested helper that was already in production for the file-serve path.

All four callsites are correctly updated. The remaining Content-Disposition callsites in the codebase either use hardcoded ASCII filenames, apply a sanitizer that strips non-ASCII before header construction, or have their own inline RFC 5987 encoding — none are left in a broken state. The encoding logic itself (percent-encoding via encodeURIComponent with an ASCII fallback) is correct for RFC 5987.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/app/api/files/utils.ts	Minimal change: encodeFilenameForHeader is promoted from module-private to exported. Implementation is unchanged and correct for RFC 5987.
apps/sim/app/api/files/export/[id]/route.ts	Both Content-Disposition headers now use encodeFilenameForHeader; safeFilename preserves Unicode so the fix was necessary and is correctly applied.
apps/sim/app/api/v1/admin/folders/[id]/export/route.ts	Replaces bare filename= with encodeFilenameForHeader; sanitizePathSegment keeps Unicode letters so this callsite was latently broken without the fix.
apps/sim/app/api/v1/admin/workspaces/[id]/export/route.ts	Same pattern as the folder export route; fix is correct and consistent.

Sequence Diagram

sequenceDiagram
    participant Client
    participant ExportRoute as files/export/[id]
    participant AdminRoute as admin/folders or workspaces export
    participant Utils as encodeFilenameForHeader

    Client->>ExportRoute: GET file with non-ASCII name
    ExportRoute->>Utils: encodeFilenameForHeader(mdName)
    Utils-->>ExportRoute: RFC 5987 encoded header value
    ExportRoute-->>Client: 200 with valid Content-Disposition

    Client->>AdminRoute: GET folder or workspace with Unicode name
    AdminRoute->>AdminRoute: sanitizePathSegment keeps Unicode letters
    AdminRoute->>Utils: encodeFilenameForHeader(filename)
    Utils-->>AdminRoute: RFC 5987 encoded header value
    AdminRoute-->>Client: 200 with valid Content-Disposition

Loading

_{Reviews (1): Last reviewed commit: "fix(files): RFC 5987 encode Content-Disp..." | Re-trigger Greptile}