From 14f111c2e3f20f563dfbe17181f77bfaa9cd57ef Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Sun, 28 Aug 2016 18:38:15 +0300 Subject: Tags: should be escaped in db and unescaped in templates --- .../src/main/java/com/juick/server/MessagesQueries.java | 3 ++- juick-core/src/main/java/com/juick/server/TagQueries.java | 14 ++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) (limited to 'juick-core') diff --git a/juick-core/src/main/java/com/juick/server/MessagesQueries.java b/juick-core/src/main/java/com/juick/server/MessagesQueries.java index 8c79bfd9..fa8881f3 100644 --- a/juick-core/src/main/java/com/juick/server/MessagesQueries.java +++ b/juick-core/src/main/java/com/juick/server/MessagesQueries.java @@ -21,6 +21,7 @@ import com.juick.Message; import com.juick.Tag; import com.juick.User; import com.juick.server.helpers.PrivacyOpts; +import org.apache.commons.lang3.StringEscapeUtils; import org.springframework.dao.EmptyResultDataAccessException; import org.springframework.dao.IncorrectResultSizeDataAccessException; import org.springframework.jdbc.core.ConnectionCallback; @@ -302,7 +303,7 @@ public class MessagesQueries { return sql.query("SELECT tags.tag_id,synonym_id,name,stat_messages FROM tags " + "INNER JOIN messages_tags ON (messages_tags.message_id=? AND messages_tags.tag_id=tags.tag_id)", new Object[]{mid}, (rs, num) -> { - com.juick.Tag t = new com.juick.Tag(rs.getString(3)); + com.juick.Tag t = new com.juick.Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3))); t.TID = rs.getInt(1); t.SynonymID = rs.getInt(2); t.UsageCnt = rs.getInt(4); diff --git a/juick-core/src/main/java/com/juick/server/TagQueries.java b/juick-core/src/main/java/com/juick/server/TagQueries.java index 76c12425..0e3c0c06 100644 --- a/juick-core/src/main/java/com/juick/server/TagQueries.java +++ b/juick-core/src/main/java/com/juick/server/TagQueries.java @@ -18,6 +18,7 @@ package com.juick.server; import com.juick.Tag; +import org.apache.commons.lang3.StringEscapeUtils; import org.springframework.dao.EmptyResultDataAccessException; import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.support.GeneratedKeyHolder; @@ -42,7 +43,7 @@ public class TagQueries { try { return sql.queryForObject("SELECT synonym_id,name FROM tags WHERE tag_id=?", (rs, num) -> { - Tag ret = new Tag(rs.getString(2)); + Tag ret = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(2))); ret.TID = tid; ret.SynonymID = rs.getInt(1); return ret; @@ -57,11 +58,11 @@ public class TagQueries { try { ret = sql.queryForObject("SELECT tag_id,synonym_id,name FROM tags WHERE name=?", (rs, rowNum) -> { - Tag ret1 = new Tag(rs.getString(3)); + Tag ret1 = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(3))); ret1.TID = rs.getInt(1); ret1.SynonymID = rs.getInt(2); return ret1; - }, tag); + }, StringEscapeUtils.escapeHtml4(tag)); } catch (EmptyResultDataAccessException e) { // tag not found } @@ -101,7 +102,7 @@ public class TagQueries { sql.update(con -> { PreparedStatement stmt = con.prepareStatement("INSERT INTO tags(name) VALUES (?)", Statement.RETURN_GENERATED_KEYS); - stmt.setString(1, name); + stmt.setString(1, StringEscapeUtils.escapeHtml4(name)); return stmt; }, holder); @@ -114,7 +115,7 @@ public class TagQueries { "AND messages.message_id=messages_tags.message_id)) " + "INNER JOIN tags ON messages_tags.tag_id=tags.tag_id GROUP BY tags.tag_id ORDER BY tags.name ASC", (rs, rowNum) -> { - Tag t = new Tag(rs.getString(1)); + Tag t = new Tag(StringEscapeUtils.unescapeHtml4(rs.getString(1))); t.UsageCnt = rs.getInt(2); return t; }, uid); @@ -127,7 +128,8 @@ public class TagQueries { } public static List getPopularTags(JdbcTemplate sql) { - return sql.queryForList("SELECT name FROM tags WHERE top=1 ORDER BY name ASC", String.class); + return sql.queryForList("SELECT name FROM tags WHERE top=1 ORDER BY name ASC", String.class).stream() + .map(StringEscapeUtils::unescapeHtml4).collect(Collectors.toList()); } public static List updateTags(JdbcTemplate sql, int mid, List newTags) { List currentTags = MessagesQueries.getMessageTags(sql, mid); -- cgit v1.2.3