From 14f111c2e3f20f563dfbe17181f77bfaa9cd57ef Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Sun, 28 Aug 2016 18:38:15 +0300
Subject: Tags: should be escaped in db and unescaped in templates

---
 juick-www/src/main/java/com/juick/www/User.java | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'juick-www/src/main/java/com/juick/www/User.java')

diff --git a/juick-www/src/main/java/com/juick/www/User.java b/juick-www/src/main/java/com/juick/www/User.java
index 29218d0a..967d06c7 100644
--- a/juick-www/src/main/java/com/juick/www/User.java
+++ b/juick-www/src/main/java/com/juick/www/User.java
@@ -21,6 +21,7 @@ import com.juick.Tag;
 import com.juick.server.MessagesQueries;
 import com.juick.server.TagQueries;
 import com.juick.server.UserQueries;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.springframework.jdbc.core.JdbcTemplate;
 
 import javax.servlet.ServletException;
@@ -89,10 +90,10 @@ public class User {
         String title;
         if (paramShow == null) {
             if (paramTag != null) {
-                title = "Блог " + user.getUName() + ": *" + Utils.encodeHTML(paramTag.getName());
+                title = "Блог " + user.getUName() + ": *" + StringEscapeUtils.escapeHtml4(paramTag.getName());
                 mids = MessagesQueries.getUserTag(sql, user.getUID(), paramTag.TID, privacy, paramBefore);
             } else if (paramSearch != null) {
-                title = "Блог " + user.getUName() + ": " + Utils.encodeHTML(paramSearch);
+                title = "Блог " + user.getUName() + ": " + StringEscapeUtils.escapeHtml4(paramSearch);
                 mids = MessagesQueries.getUserSearch(sql, sqlSearch, user.getUID(), Utils.encodeSphinx(paramSearch), privacy, paramBefore);
             } else {
                 title = "Блог " + user.getUName();
@@ -132,7 +133,7 @@ public class User {
                 if (paramTag != null) {
                     out.println("<p class=\"page\"><a href=\"/tag/" +
                             URLEncoder.encode(paramTag.getName(), "UTF-8") + "\">← Все записи с тегом <b>" +
-                            Utils.encodeHTML(paramTag.getName()) + "</b></a></p>");
+                            StringEscapeUtils.escapeHtml4(paramTag.getName()) + "</b></a></p>");
                 }
 
                 PageTemplates.printMessages(out, sql, user, mids, visitor, visitor.getUID() == 0 ? 4 : 5, 0);
@@ -328,7 +329,7 @@ public class User {
         String ret = "";
         int count = cnt > 0 ? Math.min(tags.size(), cnt) : tags.size();
         for (int i = 0; i < count; i++) {
-            String tag = Utils.encodeHTML(tags.get(i).getName());
+            String tag = StringEscapeUtils.escapeHtml4(tags.get(i).getName());
             try {
                 tag = "<a href=\"./?tag=" + URLEncoder.encode(tags.get(i).getName(), "UTF-8") + "\" title=\""
                         + tags.get(i).UsageCnt + "\" rel=\"nofollow\">" + tag + "</a>";
-- 
cgit v1.2.3