Escaping HTML entities (#76)

mageddo · Jul 10, 2020 · 72dbca2 · 72dbca2
1 parent 098c30e
commit 72dbca2
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 9 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,3 +1,6 @@
+# 3.9.1
+* Escaping HTML entities 
+
 # 3.9.0
 * Set page title as the bookmark name when editing 
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.9.0
+3.9.1
diff --git a/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java b/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java
@@ -1,14 +1,9 @@
 package com.mageddo.bookmarks.apiserver;
 
-import java.util.List;
-
 import com.mageddo.bookmarks.entity.SettingEntity;
 import com.mageddo.bookmarks.exception.NotFoundException;
 import com.mageddo.bookmarks.service.SettingsService;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.MediaType;
 import io.micronaut.http.annotation.Body;
@@ -17,6 +12,13 @@
 import io.micronaut.http.annotation.Patch;
 import io.micronaut.http.annotation.QueryValue;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.unbescape.html.HtmlEscape;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
 import static io.micronaut.http.HttpResponse.badRequest;
 import static io.micronaut.http.HttpResponse.notFound;
 import static io.micronaut.http.HttpResponse.ok;
@@ -65,7 +67,12 @@ public HttpResponse _3(String version, @QueryValue("key") String key) {
       produces = MediaType.APPLICATION_JSON)
   public HttpResponse _4(String version, @Body List<SettingEntity> settings) {
     try {
-      settingsService.patch(settings);
+      settingsService.patch(
+          settings
+              .stream()
+              .map(it -> it.setValue(HtmlEscape.escapeHtml4(it.getValue())))
+              .collect(Collectors.toList())
+      );
       return ok();
     } catch (NotFoundException e) {
       logger.warn("status=not-found, msg={}", e.getMessage(), e);

diff --git a/src/main/java/thymeleaf/ThymeleafUtils.java b/src/main/java/thymeleaf/ThymeleafUtils.java
@@ -5,6 +5,9 @@
 import com.mageddo.bookmarks.service.SiteMapService;
 import com.mageddo.commons.UrlUtils;
 
+import org.commonmark.internal.util.Html5Entities;
+import org.unbescape.html.HtmlEscape;
+
 import static com.mageddo.config.ApplicationContextUtils.context;
 
 public final class ThymeleafUtils {
@@ -30,10 +33,10 @@ public static String analyticsId() {
   }
 
   public static String headerHtml(){
-    return context()
+    return HtmlEscape.unescapeHtml(context()
         .getBean(SettingsService.class)
         .findSetting(Setting.PUBLIC_PAGES_HEADER_HTML.name())
-        .getValue()
+        .getValue())
         ;
   }
 }