fix: Potential fix for code scanning alert no. 2: Reflected cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: snowdream

pkg/net/http/fs.go

@@ -12,6 +12,7 @@ import (
 	"io/fs"
 	"net/http"
 	"net/url"
+	"html"
 	"path"
 	"path/filepath"
 	"sort"
@@ -241,7 +242,7 @@ func dirList(w http.ResponseWriter, r *http.Request, f http.File) {
 		timeformat = app.AutoIndexTimeFormat
 	}
 
-	title := fmt.Sprintf("Index of %s", r.URL)
+	title := fmt.Sprintf("Index of %s", html.EscapeString(r.URL.String()))
 
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")