fix(standard-server): invalid content-disposition with non-ASCII filenames (#1500)

Fixes #1498

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved handling of special characters and international (non-ASCII)
characters in filenames during content disposition, ensuring proper
escaping and RFC 5987 encoding compatibility.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: GitHub Actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: dinwwwh

packages/standard-server/src/utils.test.ts

@@ -8,10 +8,22 @@ beforeEach(() => {
   vi.clearAllMocks()
 })
 
-it('generateContentDisposition', () => {
-  expect(generateContentDisposition('')).toEqual('inline; filename=""; filename*=utf-8\'\'')
-  expect(generateContentDisposition('test.txt')).toEqual('inline; filename="test.txt"; filename*=utf-8\'\'test.txt')
-  expect(generateContentDisposition('!@#$%^%^&*()\'".txt')).toEqual('inline; filename="!@#$%^%^&*()\'\\".txt"; filename*=utf-8\'\'!%40%23%24%25^%25^%26%2A%28%29%27%22.txt')
+describe('generateContentDisposition', () => {
+  it('handle normal filename', () => {
+    expect(generateContentDisposition('test.txt')).toEqual('inline; filename="test.txt"; filename*=utf-8\'\'test.txt')
+  })
+
+  it('handle empty filename', () => {
+    expect(generateContentDisposition('')).toEqual('inline; filename=""; filename*=utf-8\'\'')
+  })
+
+  it('escape " special char', () => {
+    expect(generateContentDisposition('!@#$%^%^&*()\'".txt')).toEqual('inline; filename="!@#$%^%^&*()\'\\".txt"; filename*=utf-8\'\'!%40%23%24%25^%25^%26%2A%28%29%27%22.txt')
+  })
+
+  it('escape non-ASCII filenames', () => {
+    expect(generateContentDisposition('テンプレ\'"ート.txt')).toEqual('inline; filename="____\'\\"__.txt"; filename*=utf-8\'\'%E3%83%86%E3%83%B3%E3%83%97%E3%83%AC%27%22%E3%83%BC%E3%83%88.txt')
+  })
 })
 
 it('getFilenameFromContentDisposition', () => {

packages/standard-server/src/utils.ts

@@ -2,14 +2,14 @@ import type { StandardHeaders, StandardLazyResponse } from './types'
 import { isAsyncIteratorObject, once, replicateAsyncIterator, toArray, tryDecodeURIComponent } from '@orpc/shared'
 
 export function generateContentDisposition(filename: string): string {
-  const escapedFileName = filename.replace(/"/g, '\\"')
+  const encodedFileName = filename.replace(/[^\x20-\x7E]/g, '_').replace(/"/g, '\\"')
 
   // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent#encoding_for_content-disposition_and_link_headers
   const encodedFilenameStar = encodeURIComponent(filename)
     .replace(/['()*]/g, c => `%${c.charCodeAt(0).toString(16).toUpperCase()}`)
     .replace(/%(7C|60|5E)/g, (str, hex) => String.fromCharCode(Number.parseInt(hex, 16)))
 
-  return `inline; filename="${escapedFileName}"; filename*=utf-8\'\'${encodedFilenameStar}`
+  return `inline; filename="${encodedFileName}"; filename*=utf-8\'\'${encodedFilenameStar}`
 }
 
 export function getFilenameFromContentDisposition(contentDisposition: string): string | undefined {