File downloads break if you have a double quote in the filename

[pdehaan]

Randomly spotted in https://github.com/mozilla/send/pull/457/files#r131576048 but reproduced in production...

Steps to reproduce:

1. Go to https://send.firefox.com

2. Upload a file with a double quote in the filename (for example, batmanapp"roves.gif below):

   

3. Try and download that file on Send.

Actual results:

<div class="title">
      <span id="dl-filename" data-l10n-id="downloadFileName" data-l10n-args="{&quot;filename&quot;: &quot;batmanapp&quot;roves.gif&quot;}"></span>
      <span data-l10n-id="downloadFileSize" data-l10n-args="{&quot;size&quot;: &quot;1.01MB&quot;}"></span>
      <span id="dl-bytelength" hidden="true">1064054</span>
      <span id="dl-ttl" hidden="true">85626000</span>
    </div>

[ehuggett]

!£$%^&*)(_-+=}{][@'#~?>.<,|`¬.txt

is displayed correctly by the browser after upload / on the download page but it downloads as

!£$%^&_)(_-+=}{][@'#~__._,_`¬.txt

While it would not surprise me if this is done by the browser (Firefox 52.2.0 (64-bit) under Debian 9/Stretch ) as the missing and replaced symbols would have special meaning to a shell... nonetheless, is there something we could/should be doing before trying to move the file from LocalStorage to the users download folder? (i.e. What happens when any browser running on windows attempts to download such a file? not all filesystems allow the same symbols).

I wasn't doing something right with the javascript debugger (every time I tried to change the variable it reverted to its old value) but I also wanted to test what happens if I insert \r\n (https://www.owasp.org/index.php/CRLF_Injection) into the filename, mainly because I know the filename is currently returned to the client in the X-File-Metadata header and if the line break is not stripped then I would potentially be able to insert arbitrary HTTP headers into the response (which would be very bad indeed).