--- loncom/publisher/loncfile.pm	2004/05/26 22:25:38	1.55
+++ loncom/publisher/loncfile.pm	2004/05/26 22:31:30	1.56
@@ -9,7 +9,7 @@
 #  and displays a page showing the results of the action.
 #
 #
-# $Id: loncfile.pm,v 1.55 2004/05/26 22:25:38 albertel Exp $
+# $Id: loncfile.pm,v 1.56 2004/05/26 22:31:30 albertel Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -164,6 +164,7 @@ sub URLToPath {
 sub url {
     my $fn=shift;
     $fn=~s/^\/home\/(\w+)\/public\_html/\/priv\/$1/;
+    $fn=&HTML::Entities::encode($fn,'<>"&');
     return $fn;
 }
 
@@ -290,9 +291,9 @@ sub checksuffix {
 sub cleanDest {
     my ($request,$dest)=@_;
     #remove bad characters
-    if  ($dest=~/[\#\?&]/) {
+    if  ($dest=~/[\#\?&%]/) {
 	$request->print("<p><font color=\"red\">".&mt('Invalid characters in requested name have been removed.')."</font></p>");
-	$dest=~s/[\#\?&]//g;
+	$dest=~s/[\#\?&%]//g;
     }
     return $dest;
 }
@@ -1116,7 +1117,7 @@ sub phasetwo {
 	    if(!&Rename2($r, $uname, $dir, $fn, $ENV{'form.newfilename'})) {
 		return;
 	    }
-	    $dest = &url($ENV{'form.newfilename'});
+	    $dest = $ENV{'form.newfilename'};
 	}
     } elsif ($ENV{'form.action'} eq 'delete') { 
 	if(!&Delete2($r, $uname, $ENV{'form.newfilename'})) {