Tags: should be escaped in db and unescaped in templates

author: Vitaly Takmazov 2016-08-28 18:38:15 +0300
committer: Vitaly Takmazov 2016-08-28 18:38:15 +0300
commit: 14f111c2e3f20f563dfbe17181f77bfaa9cd57ef (patch)
tree: 6ed744340e137f1112642182e41cbcb8ed030afe /juick-core
parent: 7092b70a8a92fc1fdfaa8a2c54ec7a2037f8790c (diff)
2 files changed, 10 insertions, 7 deletions
diff --git a/juick-core/src/main/java/com/juick/server/MessagesQueries.java b/juick-core/src/main/java/com/juick/server/MessagesQueries.java
index 8c79bfd9..fa8881f3 100644
--- a/juick-core/src/main/java/com/juick/server/MessagesQueries.java
+++ b/juick-core/src/main/java/com/juick/server/MessagesQueries.java
@@ -21,6 +21,7 @@ import com.juick.Message;
 import com.juick.Tag;
 import com.juick.User;
 import com.juick.server.helpers.PrivacyOpts;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.dao.IncorrectResultSizeDataAccessException;
 import org.springframework.jdbc.core.ConnectionCallback;
@@ -302,7 +303,7 @@ public class MessagesQueries {
         return sql.query("SELECT tags.tag_id,synonym_id,name,stat_messages FROM tags " +
                         "INNER JOIN messages_tags ON (messages_tags.message_id=? AND messages_tags.tag_id=tags.tag_id)",
                 new Object[]{mid}, (rs, num) -> {
-                    com.juick.Tag t = new com.juick.Tag(rs.getString(3));
+                    com.juick.Tag t = new com.juick.Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3)));
                     t.TID = rs.getInt(1);
                     t.SynonymID = rs.getInt(2);
                     t.UsageCnt = rs.getInt(4);
diff --git a/juick-core/src/main/java/com/juick/server/TagQueries.java b/juick-core/src/main/java/com/juick/server/TagQueries.java
index 76c12425..0e3c0c06 100644
--- a/juick-core/src/main/java/com/juick/server/TagQueries.java
+++ b/juick-core/src/main/java/com/juick/server/TagQueries.java
@@ -18,6 +18,7 @@
 package com.juick.server;
 
 import com.juick.Tag;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.jdbc.support.GeneratedKeyHolder;
@@ -42,7 +43,7 @@ public class TagQueries {
         try {
             return sql.queryForObject("SELECT synonym_id,name FROM tags WHERE tag_id=?",
                     (rs, num) -> {
-                        Tag ret = new Tag(rs.getString(2));
+                        Tag ret = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(2)));
                         ret.TID = tid;
                         ret.SynonymID = rs.getInt(1);
                         return ret;
@@ -57,11 +58,11 @@ public class TagQueries {
         try {
             ret = sql.queryForObject("SELECT tag_id,synonym_id,name FROM tags WHERE name=?",
                     (rs, rowNum) -> {
-                        Tag ret1 = new Tag(rs.getString(3));
+                        Tag ret1 = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3)));
                         ret1.TID = rs.getInt(1);
                         ret1.SynonymID = rs.getInt(2);
                         return ret1;
-                    }, tag);
+                    }, StringEscapeUtils.escapeHtml4(tag));
         } catch (EmptyResultDataAccessException e) {
             // tag not found
         }
@@ -101,7 +102,7 @@ public class TagQueries {
         sql.update(con -> {
             PreparedStatement stmt = con.prepareStatement("INSERT INTO tags(name) VALUES (?)",
                     Statement.RETURN_GENERATED_KEYS);
-                stmt.setString(1, name);                
+                stmt.setString(1, StringEscapeUtils.escapeHtml4(name));
                 return stmt;
         }, holder);
 
@@ -114,7 +115,7 @@ public class TagQueries {
                         "AND messages.message_id=messages_tags.message_id)) " +
                         "INNER JOIN tags ON messages_tags.tag_id=tags.tag_id GROUP BY tags.tag_id ORDER BY tags.name ASC",
                 (rs, rowNum) -> {
-                    Tag t = new Tag(rs.getString(1));
+                    Tag t = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(1)));
                     t.UsageCnt = rs.getInt(2);
                     return t;
                 }, uid);
@@ -127,7 +128,8 @@ public class TagQueries {
     }
 
     public static List<String> getPopularTags(JdbcTemplate sql) {
-        return sql.queryForList("SELECT name FROM tags WHERE top=1 ORDER BY name ASC", String.class);
+        return sql.queryForList("SELECT name FROM tags WHERE top=1 ORDER BY name ASC", String.class).stream()
+                .map(StringEscapeUtils::unescapeHtml4).collect(Collectors.toList());
     }
     public static List<Tag> updateTags(JdbcTemplate sql, int mid, List<Tag> newTags) {
         List<Tag> currentTags = MessagesQueries.getMessageTags(sql, mid);
author	Vitaly Takmazov	2016-08-28 18:38:15 +0300
committer	Vitaly Takmazov	2016-08-28 18:38:15 +0300
commit	14f111c2e3f20f563dfbe17181f77bfaa9cd57ef (patch)
tree	6ed744340e137f1112642182e41cbcb8ed030afe /juick-core
parent	7092b70a8a92fc1fdfaa8a2c54ec7a2037f8790c (diff)