Tags: should be escaped in db and unescaped in templates

1 files changed, 4 insertions, 3 deletions

diff --git a/juick-www/src/main/java/com/juick/www/NewMessage.java b/juick-www/src/main/java/com/juick/www/NewMessage.java
index 56fe99cb..d45f1a4b 100644
--- a/juick-www/src/main/java/com/juick/www/NewMessage.java
+++ b/juick-www/src/main/java/com/juick/www/NewMessage.java
@@ -27,6 +27,7 @@ import com.juick.xmpp.extensions.JuickUser;
 import com.juick.xmpp.extensions.Nickname;
 import com.juick.xmpp.extensions.XOOB;
 import net.coobird.thumbnailator.Thumbnails;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.math.NumberUtils;
 import org.springframework.jdbc.core.JdbcTemplate;
 
@@ -83,7 +84,7 @@ public class NewMessage {
                 if (body.length() > 4096) {
                     body = body.substring(0, 4096);
                 }
-                body = Utils.encodeHTML(body);
+                body = StringEscapeUtils.escapeHtml4(body);
             }
             out.println("<p><textarea name=\"body\" class=\"newmessage\" rows=\"7\" cols=\"10\">" + body + "</textarea><br/>");
 
@@ -126,9 +127,9 @@ public class NewMessage {
             }
             String taglink = "";
             try {
-                taglink = "<a onclick=\"return addTag('" + Utils.encodeHTML(tags.get(i).getName()) + "')\" href=\"/" +
+                taglink = "<a onclick=\"return addTag('" + StringEscapeUtils.escapeHtml4(tags.get(i).getName()) + "')\" href=\"/" +
                         visitor.getUName() + "/?tag=" + URLEncoder.encode(tags.get(i).getName(), "utf-8") +
-                        "\" title=\"" + tags.get(i).UsageCnt + "\">" + Utils.encodeHTML(tags.get(i).getName()) + "</a>";
+                        "\" title=\"" + tags.get(i).UsageCnt + "\">" + StringEscapeUtils.escapeHtml4(tags.get(i).getName()) + "</a>";
             } catch (UnsupportedEncodingException e) {
             }
             int usagecnt = tags.get(i).UsageCnt;