From 14f111c2e3f20f563dfbe17181f77bfaa9cd57ef Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Sun, 28 Aug 2016 18:38:15 +0300 Subject: Tags: should be escaped in db and unescaped in templates --- src/test/java/com/juick/tests/ApiTests.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/test/java/com') diff --git a/src/test/java/com/juick/tests/ApiTests.java b/src/test/java/com/juick/tests/ApiTests.java index 0d34bfbb..b5632b39 100644 --- a/src/test/java/com/juick/tests/ApiTests.java +++ b/src/test/java/com/juick/tests/ApiTests.java @@ -12,6 +12,8 @@ import com.juick.server.TagQueries; import com.juick.server.UserQueries; import com.juick.server.protocol.JuickProtocol; import com.juick.server.protocol.ProtocolReply; +import com.juick.www.PageTemplates; +import org.apache.commons.lang3.StringEscapeUtils; import org.json.JSONArray; import org.junit.After; import org.junit.Before; @@ -36,7 +38,7 @@ public class ApiTests { DB db; @Before public void setupConnection() throws ManagedProcessException { - db = DB.newEmbeddedDB(3306); + db = DB.newEmbeddedDB(33306); db.start(); db.createDB("juick"); db.source("schema.sql"); @@ -88,6 +90,13 @@ public class ApiTests { assertEquals(1, SubscriptionsQueries.getUsersSubscribedToComments(jdbc, msg.getMID(), user.getUID()).size()); MessagesQueries.deleteMessage(jdbc, user_id, mid); MessagesQueries.deleteMessage(jdbc, user_id, mid2); + String htmlTagName = ">_<"; + Tag htmlTag = TagQueries.getTag(jdbc, htmlTagName, true); + String dbTagName = jdbc.queryForObject("select name from tags where name=?", String.class, StringEscapeUtils.escapeHtml4(htmlTagName)); + assertNotEquals("db tags should be escaped", dbTagName, htmlTag.getName()); + assertEquals("object tags should unescaped", htmlTag.getName(), StringEscapeUtils.unescapeHtml4(dbTagName)); + assertEquals("template should encode escaped tag in url and show escaped tag in name", + " *>_<", PageTemplates.formatTags(new ArrayList() {{ add(htmlTag); }} )); } @Test -- cgit v1.2.3