fix: Use content type from header and name from X-Filename/Content-Disposition for XHR uploads (#22661)

Uses the filename from a X-Filename header (set by vaadin-upload). The filename is encoded using JavaScript's encodeURIComponent and decoded on the server using UrlUtil.decodeURIComponent (RFC 3986).

Author: Artur-

flow-server/src/main/java/com/vaadin/flow/internal/UrlUtil.java

@@ -20,6 +20,8 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 /**
  * Internal utility class for URL handling.
@@ -31,6 +33,9 @@
  */
 public class UrlUtil {
 
+    private static final Pattern PERCENT_ENCODED = Pattern
+            .compile("%([0-9A-Fa-f]{2})");
+
     private UrlUtil() {
     }
 
@@ -105,6 +110,63 @@ public static String encodeURIComponent(String path) {
         }
     }
 
+    /**
+     * Decodes a percent-encoded string according to RFC 3986.
+     * <p>
+     * Corresponds to decodeURIComponent in JavaScript
+     * https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent
+     * <p>
+     * Unlike {@link java.net.URLDecoder}, this method does not treat '+' as a
+     * space character, making it suitable for decoding strings encoded with
+     * JavaScript's {@code encodeURIComponent()} or
+     * {@link #encodeURIComponent(String)}.
+     *
+     * @param encoded
+     *            the percent-encoded string
+     * @return the decoded string
+     */
+    public static String decodeURIComponent(String encoded) {
+        if (encoded == null || encoded.isEmpty()) {
+            return encoded;
+        }
+
+        Matcher matcher = PERCENT_ENCODED.matcher(encoded);
+        StringBuilder result = new StringBuilder();
+        int lastEnd = 0;
+
+        while (matcher.find()) {
+            // Append text before the match
+            result.append(encoded, lastEnd, matcher.start());
+
+            // Decode the hex value
+            String hex = matcher.group(1);
+            int value = Integer.parseInt(hex, 16);
+            result.append((char) value);
+
+            lastEnd = matcher.end();
+        }
+
+        // Append remaining text
+        result.append(encoded, lastEnd, encoded.length());
+
+        // Handle multi-byte UTF-8 sequences
+        byte[] bytes = new byte[result.length()];
+        boolean hasMultibyte = false;
+        for (int i = 0; i < result.length(); i++) {
+            char c = result.charAt(i);
+            if (c > 127) {
+                hasMultibyte = true;
+            }
+            bytes[i] = (byte) c;
+        }
+
+        if (hasMultibyte) {
+            return new String(bytes, StandardCharsets.UTF_8);
+        }
+
+        return result.toString();
+    }
+
     /**
      * Returns the given absolute path as a path relative to the servlet path.
      *

flow-server/src/main/java/com/vaadin/flow/server/streams/TransferUtil.java

@@ -42,6 +42,7 @@
 import com.vaadin.flow.component.Component;
 import com.vaadin.flow.component.ComponentUtil;
 import com.vaadin.flow.dom.Element;
+import com.vaadin.flow.internal.UrlUtil;
 import com.vaadin.flow.internal.streams.UploadCompleteEvent;
 import com.vaadin.flow.internal.streams.UploadStartEvent;
 import com.vaadin.flow.server.VaadinRequest;
@@ -150,7 +151,6 @@ static void handleUpload(UploadHandler handler, VaadinRequest request,
                 && JakartaServletFileUpload
                         .isMultipartContent((HttpServletRequest) request);
         try {
-            String fileName;
             if (isMultipartUpload) {
                 Collection<Part> parts = Collections.EMPTY_LIST;
                 try {
@@ -227,9 +227,21 @@ static void handleUpload(UploadHandler handler, VaadinRequest request,
                     }
                 }
             } else {
-                // These are unknown in filexhr ATM
-                fileName = "unknown";
-                String contentType = "unknown";
+                // Extract filename from X-Filename header
+                // The filename is encoded using JavaScript's encodeURIComponent
+                String fileName = request.getHeader("X-Filename");
+
+                if (fileName == null || fileName.isEmpty()) {
+                    fileName = "unknown";
+                } else {
+                    // Decode the percent-encoded filename
+                    fileName = UrlUtil.decodeURIComponent(fileName);
+                }
+
+                String contentType = request.getHeader("Content-Type");
+                if (contentType == null || contentType.isEmpty()) {
+                    contentType = "unknown";
+                }
 
                 UploadEvent event = new UploadEvent(request, response, session,
                         fileName, request.getContentLengthLong(), contentType,

flow-server/src/test/java/com/vaadin/flow/internal/UrlUtilTest.java

@@ -128,4 +128,55 @@ private VaadinServletRequest createRequest(String contextPath,
         return new VaadinServletRequest(request,
                 Mockito.mock(VaadinServletService.class));
     }
+
+    @Test
+    public void decodeURIComponent_percentEncodedSpace_decoded() {
+        String result = UrlUtil.decodeURIComponent("test%20file.txt");
+        Assert.assertEquals("test file.txt", result);
+    }
+
+    @Test
+    public void decodeURIComponent_plusSign_notDecodedAsSpace() {
+        // Plus signs should remain as plus signs (RFC 3986, not HTML form
+        // encoding)
+        String result = UrlUtil.decodeURIComponent("test+file.txt");
+        Assert.assertEquals("test+file.txt", result);
+    }
+
+    @Test
+    public void decodeURIComponent_encodedPlusSign_decoded() {
+        String result = UrlUtil.decodeURIComponent("test%2Bfile.txt");
+        Assert.assertEquals("test+file.txt", result);
+    }
+
+    @Test
+    public void decodeURIComponent_unicodeCharacters_decoded() {
+        // åäö.txt encoded as UTF-8 percent-encoded
+        String result = UrlUtil.decodeURIComponent("%C3%A5%C3%A4%C3%B6.txt");
+        Assert.assertEquals("åäö.txt", result);
+    }
+
+    @Test
+    public void decodeURIComponent_specialCharacters_decoded() {
+        String result = UrlUtil.decodeURIComponent("special%26%3Dchars.txt");
+        Assert.assertEquals("special&=chars.txt", result);
+    }
+
+    @Test
+    public void decodeURIComponent_nullValue_returnsNull() {
+        String result = UrlUtil.decodeURIComponent(null);
+        Assert.assertNull(result);
+    }
+
+    @Test
+    public void decodeURIComponent_emptyValue_returnsEmpty() {
+        String result = UrlUtil.decodeURIComponent("");
+        Assert.assertEquals("", result);
+    }
+
+    @Test
+    public void decodeURIComponent_noEncodedChars_returnsSame() {
+        String result = UrlUtil.decodeURIComponent("simple.txt");
+        Assert.assertEquals("simple.txt", result);
+    }
 }

flow-server/src/test/java/com/vaadin/flow/server/communication/UploadHandlerTest.java

@@ -166,6 +166,75 @@ public void doUploadHandleXhrFilePost_happyPath_setContentTypeAndResponseHandled
         Mockito.verify(response, Mockito.times(1)).setStatus(200);
     }
 
+    @Test
+    public void xhrUpload_filenameFromHeader_extractedCorrectly()
+            throws IOException {
+        final String[] capturedFilename = new String[1];
+
+        UploadHandler handler = (event) -> {
+            capturedFilename[0] = event.getFileName();
+        };
+
+        Mockito.when(request.getHeader("X-Filename")).thenReturn("test.txt");
+
+        handler.handleRequest(request, response, session, element);
+
+        Assert.assertEquals("test.txt", capturedFilename[0]);
+    }
+
+    @Test
+    public void xhrUpload_encodedFilename_decodedCorrectly()
+            throws IOException {
+        final String[] capturedFilename = new String[1];
+
+        UploadHandler handler = (event) -> {
+            capturedFilename[0] = event.getFileName();
+        };
+
+        // encodeURIComponent("my file åäö.txt") in JavaScript
+        Mockito.when(request.getHeader("X-Filename"))
+                .thenReturn("my%20file%20%C3%A5%C3%A4%C3%B6.txt");
+
+        handler.handleRequest(request, response, session, element);
+
+        Assert.assertEquals("my file åäö.txt", capturedFilename[0]);
+    }
+
+    @Test
+    public void xhrUpload_contentTypeFromHeader_extractedCorrectly()
+            throws IOException {
+        final String[] capturedContentType = new String[1];
+
+        UploadHandler handler = (event) -> {
+            capturedContentType[0] = event.getContentType();
+        };
+
+        Mockito.when(request.getHeader("X-Filename")).thenReturn("test.txt");
+        Mockito.when(request.getHeader("Content-Type"))
+                .thenReturn("text/plain");
+
+        handler.handleRequest(request, response, session, element);
+
+        Assert.assertEquals("text/plain", capturedContentType[0]);
+    }
+
+    @Test
+    public void xhrUpload_missingContentTypeHeader_defaultsToUnknown()
+            throws IOException {
+        final String[] capturedContentType = new String[1];
+
+        UploadHandler handler = (event) -> {
+            capturedContentType[0] = event.getContentType();
+        };
+
+        Mockito.when(request.getHeader("X-Filename")).thenReturn("test.txt");
+        Mockito.when(request.getHeader("Content-Type")).thenReturn(null);
+
+        handler.handleRequest(request, response, session, element);
+
+        Assert.assertEquals("unknown", capturedContentType[0]);
+    }
+
     @Test
     public void doUploadHandleXhrFilePost_unhappyPath_responseHandled()
             throws IOException {