From fd3b2e951400bf69ca9394d752118b6a3c039516 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Fri, 20 Jan 2017 14:10:46 +0300 Subject: juick-server: database tags should not be escaped now --- juick-core/src/main/java/com/juick/Message.java | 1 - .../java/com/juick/service/TagServiceImpl.java | 19 +-- .../java/com/juick/www/controllers/Discover.java | 138 --------------------- .../main/java/com/juick/www/controllers/Tags.java | 134 ++++++++++++++++++++ src/test/java/com/juick/tests/ApiTests.java | 6 +- 5 files changed, 146 insertions(+), 152 deletions(-) delete mode 100644 juick-www/src/main/java/com/juick/www/controllers/Discover.java create mode 100644 juick-www/src/main/java/com/juick/www/controllers/Tags.java diff --git a/juick-core/src/main/java/com/juick/Message.java b/juick-core/src/main/java/com/juick/Message.java index ae13d7e9..583f2570 100644 --- a/juick-core/src/main/java/com/juick/Message.java +++ b/juick-core/src/main/java/com/juick/Message.java @@ -28,7 +28,6 @@ import org.apache.commons.lang3.builder.ToStringBuilder; import javax.xml.bind.annotation.*; import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; import java.util.*; -import java.util.stream.Collectors; /** * @author Ugnich Anton diff --git a/juick-server/src/main/java/com/juick/service/TagServiceImpl.java b/juick-server/src/main/java/com/juick/service/TagServiceImpl.java index 61f23d71..cb345ceb 100644 --- a/juick-server/src/main/java/com/juick/service/TagServiceImpl.java +++ b/juick-server/src/main/java/com/juick/service/TagServiceImpl.java @@ -4,7 +4,6 @@ import com.juick.Tag; import com.juick.server.helpers.TagStats; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.ArrayUtils; -import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.RowMapper; @@ -16,7 +15,10 @@ import org.springframework.transaction.annotation.Transactional; import org.springframework.util.Assert; import javax.inject.Inject; -import java.sql.*; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -49,7 +51,7 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { List list = getJdbcTemplate().query( "SELECT synonym_id,name FROM tags WHERE tag_id=?", (rs, num) -> { - Tag ret = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(2))); + Tag ret = new Tag(rs.getString(2)); ret.TID = tid; ret.SynonymID = rs.getInt(1); return ret; @@ -69,12 +71,12 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { List list = getJdbcTemplate().query( "SELECT tag_id, synonym_id, name FROM tags WHERE name = ?", (rs, rowNum) -> { - Tag ret1 = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3))); + Tag ret1 = new Tag(rs.getString(3)); ret1.TID = rs.getInt(1); ret1.SynonymID = rs.getInt(2); return ret1; }, - StringEscapeUtils.escapeHtml4(tag)); + tag); Tag ret = list.isEmpty() ? null : list.get(0); @@ -124,7 +126,7 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { PreparedStatement stmt = con.prepareStatement( "INSERT INTO tags(name) VALUES (?)", Statement.RETURN_GENERATED_KEYS); - stmt.setString(1, StringEscapeUtils.escapeHtml4(name)); + stmt.setString(1, name); return stmt; }, holder); @@ -136,7 +138,7 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { @Override public TagStats mapRow(ResultSet rs, int rowNum) throws SQLException { - Tag t = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(1))); + Tag t = new Tag(rs.getString(1)); TagStats s = new TagStats(); s.setTag(t); s.setUsageCount(rs.getInt(2)); @@ -171,7 +173,6 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { return getJdbcTemplate().queryForList( "SELECT name FROM tags WHERE top=1 ORDER BY name ASC", String.class) .stream() - .map(StringEscapeUtils::unescapeHtml4) .collect(Collectors.toList()); } @@ -239,7 +240,7 @@ public class TagServiceImpl extends BaseJdbcService implements TagService { "SELECT tags.tag_id,synonym_id,name,stat_messages FROM tags " + "INNER JOIN messages_tags ON (messages_tags.message_id = ? AND messages_tags.tag_id = tags.tag_id)", (rs, num) -> { - com.juick.Tag t = new com.juick.Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3))); + com.juick.Tag t = new com.juick.Tag(rs.getString(3)); t.TID = rs.getInt(1); t.SynonymID = rs.getInt(2); TagStats s = new TagStats(); diff --git a/juick-www/src/main/java/com/juick/www/controllers/Discover.java b/juick-www/src/main/java/com/juick/www/controllers/Discover.java deleted file mode 100644 index e5d17501..00000000 --- a/juick-www/src/main/java/com/juick/www/controllers/Discover.java +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Juick - * Copyright (C) 2008-2011, Ugnich Anton - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ -package com.juick.www.controllers; - -import com.juick.service.AdsService; -import com.juick.service.MessagesService; -import com.juick.service.TagService; -import com.juick.www.Utils; -import com.juick.www.WebApp; -import org.apache.commons.lang3.CharEncoding; -import org.apache.commons.lang3.StringEscapeUtils; -import org.apache.commons.lang3.StringUtils; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import javax.inject.Inject; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.io.PrintWriter; -import java.net.URLDecoder; -import java.net.URLEncoder; -import java.util.List; - -/** - * - * @author Ugnich Anton - */ -@Controller -public class Discover { - @Inject - WebApp webApp; - @Inject - MessagesService messagesService; - @Inject - TagService tagService; - @Inject - AdsService adsService; - @Inject - PageTemplates templates; - - @RequestMapping(value = "/tag/{tagName}", method = RequestMethod.GET) - protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { - com.juick.User visitor = webApp.getVisitorUser(request, response); - - String paramTagStr = URLDecoder.decode(request.getRequestURI().substring(5), CharEncoding.UTF_8); - com.juick.Tag paramTag = tagService.getTag(paramTagStr, false); - if (paramTag == null) { - response.sendError(HttpServletResponse.SC_NOT_FOUND); - return; - } else if (paramTag.SynonymID > 0 && paramTag.TID != paramTag.SynonymID) { - com.juick.Tag synTag = tagService.getTag(paramTag.SynonymID); - String url = "/tag/" + URLEncoder.encode(synTag.getName(), CharEncoding.UTF_8); - if (request.getQueryString() != null) { - url += "?" + request.getQueryString(); - } - Utils.sendPermanentRedirect(response, url); - return; - } else if (!paramTag.getName().equals(paramTagStr)) { - String url = "/tag/" + URLEncoder.encode(paramTag.getName(), CharEncoding.UTF_8); - if (request.getQueryString() != null) { - url += "?" + request.getQueryString(); - } - Utils.sendPermanentRedirect(response, url); - return; - } - - int paramBefore = 0; - String paramBeforeStr = request.getParameter("before"); - if (paramBeforeStr != null) { - try { - paramBefore = Integer.parseInt(paramBeforeStr); - } catch (NumberFormatException e) { - } - } - - int visitor_uid = visitor.getUid(); - - String title = "*" + StringEscapeUtils.escapeHtml4(paramTag.getName()); - List mids = messagesService.getTag(paramTag.TID, visitor_uid, paramBefore, (visitor_uid == 0) ? 40 : 20); - - response.setContentType("text/html; charset=UTF-8"); - try (PrintWriter out = response.getWriter()) { - String head = StringUtils.EMPTY; - if (tagService.getTagNoIndex(paramTag.TID)) { - head = ""; - } else if (paramBefore > 0 || mids.size() < 5) { - head = ""; - } - templates.pageHead(out, visitor, title, head); - templates.pageNavigation(out, visitor, null); - - out.println("
"); - - if (mids.size() > 0) { - int vuid = visitor.getUid(); - int ad_mid = adsService.getAdMid(vuid); - if (ad_mid > 0 && mids.indexOf(ad_mid) == -1) { - mids.add(0, ad_mid); - adsService.logAdMid(vuid, ad_mid); - } else { - ad_mid = 0; - } - - templates.printMessages(out, null, mids, visitor, visitor_uid == 0 ? 2 : 3, ad_mid); - } - - if (mids.size() >= 20) { - String nextpage = "/tag/" + URLEncoder.encode(paramTag.getName(), CharEncoding.UTF_8) + "?before=" + mids.get(mids.size() - 1); - out.println("

Читать дальше →

"); - } - - out.println("
"); - - templates.pageHomeColumn(out, visitor); - - templates.pageFooter(request, out, visitor, true); - - templates.pageEnd(out); - } - } -} diff --git a/juick-www/src/main/java/com/juick/www/controllers/Tags.java b/juick-www/src/main/java/com/juick/www/controllers/Tags.java new file mode 100644 index 00000000..ee95d08c --- /dev/null +++ b/juick-www/src/main/java/com/juick/www/controllers/Tags.java @@ -0,0 +1,134 @@ +/* + * Juick + * Copyright (C) 2008-2011, Ugnich Anton + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +package com.juick.www.controllers; + +import com.juick.service.AdsService; +import com.juick.service.MessagesService; +import com.juick.service.TagService; +import com.juick.www.Utils; +import com.juick.www.WebApp; +import org.apache.commons.lang3.CharEncoding; +import org.apache.commons.lang3.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; + +import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.io.PrintWriter; +import java.net.URLDecoder; +import java.net.URLEncoder; +import java.util.List; + +/** + * + * @author Ugnich Anton + */ +@Controller +public class Tags { + @Inject + WebApp webApp; + @Inject + MessagesService messagesService; + @Inject + TagService tagService; + @Inject + AdsService adsService; + @Inject + PageTemplates templates; + + @RequestMapping(value = "/tag/{tagName}", method = RequestMethod.GET) + protected void doGet(HttpServletRequest request, + @PathVariable String tagName, + @RequestParam(required = false, defaultValue = "0") int before, + HttpServletResponse response) throws IOException { + com.juick.User visitor = webApp.getVisitorUser(request, response); + + String paramTagStr = URLDecoder.decode(StringEscapeUtils.unescapeHtml4(tagName), CharEncoding.UTF_8); + com.juick.Tag paramTag = tagService.getTag(paramTagStr, false); + if (paramTag == null) { + response.sendError(HttpServletResponse.SC_NOT_FOUND); + return; + } else if (paramTag.SynonymID > 0 && paramTag.TID != paramTag.SynonymID) { + com.juick.Tag synTag = tagService.getTag(paramTag.SynonymID); + String url = "/tag/" + URLEncoder.encode(StringEscapeUtils.escapeHtml4(synTag.getName()), CharEncoding.UTF_8); + if (request.getQueryString() != null) { + url += "?" + request.getQueryString(); + } + Utils.sendPermanentRedirect(response, url); + return; + } else if (!paramTag.getName().equals(paramTagStr)) { + String url = "/tag/" + URLEncoder.encode(StringEscapeUtils.escapeHtml4(paramTag.getName()), CharEncoding.UTF_8); + if (request.getQueryString() != null) { + url += "?" + request.getQueryString(); + } + Utils.sendPermanentRedirect(response, url); + return; + } + + int visitor_uid = visitor.getUid(); + + String title = "*" + StringEscapeUtils.escapeHtml4(paramTag.getName()); + List mids = messagesService.getTag(paramTag.TID, visitor_uid, before, (visitor_uid == 0) ? 40 : 20); + + response.setContentType("text/html; charset=UTF-8"); + try (PrintWriter out = response.getWriter()) { + String head = StringUtils.EMPTY; + if (tagService.getTagNoIndex(paramTag.TID)) { + head = ""; + } else if (before > 0 || mids.size() < 5) { + head = ""; + } + templates.pageHead(out, visitor, title, head); + templates.pageNavigation(out, visitor, null); + + out.println("
"); + + if (mids.size() > 0) { + int vuid = visitor.getUid(); + int ad_mid = adsService.getAdMid(vuid); + if (ad_mid > 0 && mids.indexOf(ad_mid) == -1) { + mids.add(0, ad_mid); + adsService.logAdMid(vuid, ad_mid); + } else { + ad_mid = 0; + } + + templates.printMessages(out, null, mids, visitor, visitor_uid == 0 ? 2 : 3, ad_mid); + } + + if (mids.size() >= 20) { + String nextpage = "/tag/" + URLEncoder.encode(paramTag.getName(), CharEncoding.UTF_8) + "?before=" + mids.get(mids.size() - 1); + out.println("

Читать дальше →

"); + } + + out.println("
"); + + templates.pageHomeColumn(out, visitor); + + templates.pageFooter(request, out, visitor, true); + + templates.pageEnd(out); + } + } +} diff --git a/src/test/java/com/juick/tests/ApiTests.java b/src/test/java/com/juick/tests/ApiTests.java index 0317dbb4..1cd17bd6 100644 --- a/src/test/java/com/juick/tests/ApiTests.java +++ b/src/test/java/com/juick/tests/ApiTests.java @@ -17,7 +17,6 @@ import com.juick.service.UserService; import com.juick.service.search.SearchService; import com.juick.www.controllers.PageTemplates; import org.apache.commons.dbcp2.BasicDataSource; -import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import org.junit.Before; import org.junit.Test; @@ -181,9 +180,8 @@ public class ApiTests { Tag htmlTag = tagService.getTag(htmlTagName, true); TagStats htmlTagStats = new TagStats(); htmlTagStats.setTag(htmlTag); - String dbTagName = jdbcTemplate.queryForObject("select name from tags where name=?", String.class, StringEscapeUtils.escapeHtml4(htmlTagName)); - assertNotEquals("db tags should be escaped", dbTagName, htmlTag.getName()); - assertEquals("object tags should unescaped", htmlTag.getName(), StringEscapeUtils.unescapeHtml4(dbTagName)); + String dbTagName = jdbcTemplate.queryForObject("select name from tags where name=?", String.class, htmlTagName); + assertEquals("db tags should not be escaped", dbTagName, htmlTag.getName()); assertEquals("template should encode escaped tag in url and show escaped tag in name", ">_<", templates.formatTags(Collections.singletonList(htmlTagStats))); int mid4 = messagesService.createMessage(user_id, "yoyoyo", null, null); -- cgit v1.2.3