Fix shell metacharacter injection in file-drop path quoting

[Copilot]

The handle_file_drop path-quoting logic only triggered for paths containing spaces, ', or ", leaving paths with shell metacharacters like $, `, *, !, &, |, ; sent unquoted to the terminal — allowing unintended shell expansion or command injection.

Change

Always apply POSIX single-quote escaping to every dropped path, unconditionally:

// before: only quoted paths containing spaces or quote chars
if path_str.contains(' ') || path_str.contains('\'') || path_str.contains('"') {
    text.push('\'');
    text.push_str(&path_str.replace('\'', "'\\''"));
    text.push('\'');
} else {
    text.push_str(&path_str);  // unsafe for $, `, *, !, &, |, ;
}

// after: always single-quote every path
text.push('\'');
text.push_str(&path_str.replace('\'', "'\\''"));
text.push('\'');

This is both simpler and correct — POSIX single-quoting suppresses all shell metacharacter interpretation, and the '\'' idiom correctly handles embedded single quotes.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[lassejlv]

Check an extra time if its good enough

[Copilot]

Check an extra time if its good enough

Checked again — everything looks good:

• bracketed_paste_mode(): correctly reads TermMode::BRACKETED_PASTE from the alacritty terminal lock.
• Paste handler: wraps content with \x1b[200~ / \x1b[201~ when bracketed paste is active, falls back to a raw write otherwise — correct per the protocol.
• File drop handler (fixed in 8eee132): now always applies POSIX single-quote escaping to every path. The '\'' idiom handles embedded single quotes, and wrapping everything in single quotes suppresses all shell metacharacter interpretation ($, `, *, !, &, |, ;).
• Render pipeline: .on_drop(cx.listener(Self::handle_file_drop)) is correctly wired in.
• cargo check passes cleanly. CI on paste-feature is green.