From 14f111c2e3f20f563dfbe17181f77bfaa9cd57ef Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Sun, 28 Aug 2016 18:38:15 +0300
Subject: Tags: should be escaped in db and unescaped in templates

---
 .../src/main/java/com/juick/www/PageTemplates.java | 27 ++++------------------
 1 file changed, 4 insertions(+), 23 deletions(-)

(limited to 'juick-www/src/main/java/com/juick/www/PageTemplates.java')

diff --git a/juick-www/src/main/java/com/juick/www/PageTemplates.java b/juick-www/src/main/java/com/juick/www/PageTemplates.java
index be9a024c..5715acd3 100644
--- a/juick-www/src/main/java/com/juick/www/PageTemplates.java
+++ b/juick-www/src/main/java/com/juick/www/PageTemplates.java
@@ -22,6 +22,7 @@ import com.juick.Tag;
 import com.juick.server.MessagesQueries;
 import com.juick.server.TagQueries;
 import com.juick.server.UserQueries;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.util.StringUtils;
 import ru.sape.Sape;
@@ -89,7 +90,7 @@ public class PageTemplates {
         out.println("</ul></nav>");
         out.print("  <div id=\"search\"><form action=\"/\"><input type=\"text\" name=\"search\" class=\"text\" placeholder=\"Поиск\"");
         if (search != null) {
-            out.print(" value=\"" + Utils.encodeHTML(search) + "\"");
+            out.print(" value=\"" + StringEscapeUtils.escapeHtml4(search) + "\"");
         }
         out.println("/></form></div>");
         out.println("  <section id=\"headdiv\">");
@@ -135,7 +136,7 @@ public class PageTemplates {
 
     public static String formatPopularTags(JdbcTemplate sql, int cnt) {
         List<String> popularTags = TagQueries.getPopularTags(sql).stream()
-                .map(t -> "<a href=\"/tag/" + URLEncoder.encode(t) + "\">" + Utils.encodeHTML(t) + "</a>").collect(Collectors.toList());
+                .map(t -> "<a href=\"/tag/" + URLEncoder.encode(t) + "\">" + StringEscapeUtils.escapeHtml4(t) + "</a>").collect(Collectors.toList());
         return StringUtils.collectionToDelimitedString(popularTags, " ");
     }
 
@@ -188,7 +189,7 @@ public class PageTemplates {
     public static String formatTags(List<Tag> tags) {
         String ret = "";
         for (Tag tag : tags) {
-            String tagName = tag.getName().replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+            String tagName = StringEscapeUtils.escapeHtml4(tag.getName());
             try {
                 ret += " *<a href=\"/tag/" + URLEncoder.encode(tag.getName(), "utf-8") + "\"";
                 if (tag.UsageCnt < 2) {
@@ -202,26 +203,6 @@ public class PageTemplates {
         return ret;
     }
 
-    public static String formatTags(List<String> tags, com.juick.User user) {
-        String ret = "";
-        for (String tag : tags) {
-            tag = tag.replaceAll("<", "&lt;");
-            tag = tag.replaceAll(">", "&gt;");
-            try {
-                ret += " *<a href=\"";
-                if (user == null) {
-                    ret += "/tag/";
-                } else {
-                    ret += "/" + user.getUName() + "/?tag=";
-                }
-                ret += URLEncoder.encode(tag, "utf-8") + "\">" + tag + "</a>";
-            } catch (UnsupportedEncodingException e) {
-            }
-        }
-
-        return ret;
-    }
-
     public static String formatDate(int minutes, Date fulldate) {
         if (minutes < 1) {
             return "сейчас";
-- 
cgit v1.2.3