Tags: should be escaped in db and unescaped in templates

1 files changed, 10 insertions, 1 deletions

diff --git a/src/test/java/com/juick/tests/ApiTests.java b/src/test/java/com/juick/tests/ApiTests.java
index 0d34bfbb..b5632b39 100644
--- a/src/test/java/com/juick/tests/ApiTests.java
+++ b/src/test/java/com/juick/tests/ApiTests.java
@@ -12,6 +12,8 @@ import com.juick.server.TagQueries;
 import com.juick.server.UserQueries;
 import com.juick.server.protocol.JuickProtocol;
 import com.juick.server.protocol.ProtocolReply;
+import com.juick.www.PageTemplates;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.json.JSONArray;
 import org.junit.After;
 import org.junit.Before;
@@ -36,7 +38,7 @@ public class ApiTests {
     DB db;
     @Before
     public void setupConnection() throws ManagedProcessException {
-        db = DB.newEmbeddedDB(3306);
+        db = DB.newEmbeddedDB(33306);
         db.start();
         db.createDB("juick");
         db.source("schema.sql");
@@ -88,6 +90,13 @@ public class ApiTests {
         assertEquals(1, SubscriptionsQueries.getUsersSubscribedToComments(jdbc, msg.getMID(), user.getUID()).size());
         MessagesQueries.deleteMessage(jdbc, user_id, mid);
         MessagesQueries.deleteMessage(jdbc, user_id, mid2);
+        String htmlTagName = ">_<";
+        Tag htmlTag = TagQueries.getTag(jdbc, htmlTagName, true);
+        String dbTagName = jdbc.queryForObject("select name from tags where name=?", String.class, StringEscapeUtils.escapeHtml4(htmlTagName));
+        assertNotEquals("db tags should be escaped", dbTagName, htmlTag.getName());
+        assertEquals("object tags should unescaped", htmlTag.getName(), StringEscapeUtils.unescapeHtml4(dbTagName));
+        assertEquals("template should encode escaped tag in url and show escaped tag in name",
+                " *<a href=\"/tag/%3E_%3C\" rel=\"nofollow\">&gt;_&lt;</a>", PageTemplates.formatTags(new ArrayList<Tag>() {{ add(htmlTag); }} ));
     }
 
     @Test