From c7f6663c367cca8be3343a695d3f5ed052d781a0 Mon Sep 17 00:00:00 2001
From: rr- <rr-@sakuya.pl>
Date: Thu, 23 Jun 2016 12:19:32 +0200
Subject: [PATCH] client/general: escape entity names in links

---
 client/html/comment.tpl               |  4 ++--
 client/html/comments_page.tpl         |  2 +-
 client/html/post.tpl                  | 14 +++++++-------
 client/html/post_readonly_sidebar.tpl |  8 ++++----
 client/html/posts_page.tpl            |  4 ++--
 client/html/tag.tpl                   |  8 ++++----
 client/html/tag_category_row.tpl      |  2 +-
 client/html/tag_delete.tpl            |  2 +-
 client/html/user.tpl                  |  6 +++---
 client/html/user_summary.tpl          |  6 +++---
 client/html/users_page.tpl            |  4 ++--
 client/js/util/views.js               |  8 +++++---
 12 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/client/html/comment.tpl b/client/html/comment.tpl
index 520d372..da91a03 100644
--- a/client/html/comment.tpl
+++ b/client/html/comment.tpl
@@ -1,7 +1,7 @@
 <div class='comment'>
     <div class='avatar'>
         <% if (ctx.comment.user.name && ctx.canViewUsers) { %>
-            <a href='/user/<%- ctx.comment.user.name %>'>
+            <a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'>
         <% } %>
 
         <%= ctx.makeThumbnail(ctx.comment.user.avatarUrl) %>
@@ -15,7 +15,7 @@
         <header><!--
             --><span class='nickname'><!--
                 --><% if (ctx.comment.user.name && ctx.canViewUsers) { %><!--
-                    --><a href='/user/<%- ctx.comment.user.name %>'><!--
+                    --><a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'><!--
                 --><% } %><!--
 
                 --><%- ctx.comment.user.name %><!--
diff --git a/client/html/comments_page.tpl b/client/html/comments_page.tpl
index 57008b7..4f956d4 100644
--- a/client/html/comments_page.tpl
+++ b/client/html/comments_page.tpl
@@ -4,7 +4,7 @@
             --><li><!--
                 --><div class='post-thumbnail'><!--
                     --><% if (ctx.canViewPosts) { %><!--
-                        --><a href='/post/<%- post.id %>'><!--
+                        --><a href='/post/<%- encodeURIComponent(post.id) %>'><!--
                     --><% } %><!--
                         --><%= ctx.makeThumbnail(post.thumbnailUrl) %><!--
                     --><% if (ctx.canViewPosts) { %><!--
diff --git a/client/html/post.tpl b/client/html/post.tpl
index a4dc638..ecb4ba8 100644
--- a/client/html/post.tpl
+++ b/client/html/post.tpl
@@ -4,9 +4,9 @@
             <article class='next-post'>
                 <% if (ctx.nextPostId) { %>
                     <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
-                        <a href='/post/<%- ctx.nextPostId %>/text=<%- ctx.searchQuery.text %>'>
+                        <a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
                     <% } else { %>
-                        <a href='/post/<%- ctx.nextPostId %>'>
+                        <a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>'>
                     <% } %>
                 <% } else { %>
                     <a class='inactive'>
@@ -18,9 +18,9 @@
             <article class='previous-post'>
                 <% if (ctx.prevPostId) { %>
                     <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
-                        <a href='/post/<%- ctx.prevPostId %>/text=<%- ctx.searchQuery.text %>'>
+                        <a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
                     <% } else { %>
-                        <a href='/post/<%- ctx.prevPostId %>'>
+                        <a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>'>
                     <% } %>
                 <% } else { %>
                     <a class='inactive'>
@@ -31,16 +31,16 @@
             </article>
             <article class='edit-post'>
                 <% if (ctx.editMode) { %>
-                    <a href='/post/<%- ctx.post.id %>'>
+                    <a href='/post/<%- encodeURIComponent(ctx.post.id) %>'>
                         <i class='fa fa-eye'></i>
                         <span class='vim-nav-hint'>Back to view mode</span>
                     </a>
                 <% } else { %>
                     <% if (ctx.canEditPosts) { %>
                         <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
-                            <a href='/post/<%- ctx.post.id %>/edit/text=<%- ctx.searchQuery.text %>'>
+                            <a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
                         <% } else { %>
-                            <a href='/post/<%- ctx.post.id %>/edit'>
+                            <a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit'>
                         <% } %>
                     <% } else { %>
                         <a class='inactive'>
diff --git a/client/html/post_readonly_sidebar.tpl b/client/html/post_readonly_sidebar.tpl
index 44cccc5..810cb34 100644
--- a/client/html/post_readonly_sidebar.tpl
+++ b/client/html/post_readonly_sidebar.tpl
@@ -33,8 +33,8 @@
 
     <section class='search'>
         Search on
-        <a href='http://iqdb.org/?url=<%- ctx.post.contentUrl %>'>IQDB</a> &middot;
-        <a href='https://www.google.com/searchbyimage?&image_url=<%- ctx.post.contentUrl %>'>Google Images</a>
+        <a href='http://iqdb.org/?url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>IQDB</a> &middot;
+        <a href='https://www.google.com/searchbyimage?&image_url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>Google Images</a>
     </section>
 
     <section class='social'>
@@ -50,14 +50,14 @@
         --><% for (let tag of ctx.post.tags) { %><!--
             --><li><!--
                 --><% if (ctx.canViewTags) { %><!--
-                --><a href='/tag/<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
+                --><a href='/tag/<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
                     --><i class='fa fa-tag'></i><!--
                 --><% } %><!--
                 --><% if (ctx.canListPosts) { %><!--
                     --></a><!--
                 --><% } %><!--
                 --><% if (ctx.canListPosts) { %><!--
-                    --><a href='/posts/text=<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
+                    --><a href='/posts/text=<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
                 --><% } %><!--
                     --><%- tag %><!--
                 --><% if (ctx.canListPosts) { %><!--
diff --git a/client/html/posts_page.tpl b/client/html/posts_page.tpl
index 6eb6cd2..5e2b3e8 100644
--- a/client/html/posts_page.tpl
+++ b/client/html/posts_page.tpl
@@ -5,9 +5,9 @@
                 <li>
                     <% if (ctx.canViewPosts) { %>
                         <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
-                            <a href='/post/<%- post.id %>/text=<%- ctx.searchQuery.text %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
+                            <a href='/post/<%- encodeURIComponent(post.id) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
                         <% } else { %>
-                            <a href='/post/<%- post.id %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
+                            <a href='/post/<%- encodeURIComponent(post.id) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
                         <% } %>
                     <% } else { %>
                         <a>
diff --git a/client/html/tag.tpl b/client/html/tag.tpl
index 239c2f3..8e959dd 100644
--- a/client/html/tag.tpl
+++ b/client/html/tag.tpl
@@ -2,15 +2,15 @@
     <h1><%- ctx.tag.names[0] %></h1>
     <nav class='buttons'><!--
         --><ul><!--
-            --><li data-name='summary'><a href='/tag/<%- ctx.tag.names[0] %>'>Summary</a></li><!--
+            --><li data-name='summary'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>'>Summary</a></li><!--
             --><% if (ctx.canMerge) { %><!--
-                --><li data-name='edit'><a href='/tag/<%- ctx.tag.names[0] %>/edit'>Edit</a></li><!--
+                --><li data-name='edit'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/edit'>Edit</a></li><!--
             --><% } %><!--
             --><% if (ctx.canMerge) { %><!--
-                --><li data-name='merge'><a href='/tag/<%- ctx.tag.names[0] %>/merge'>Merge with&hellip;</a></li><!--
+                --><li data-name='merge'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/merge'>Merge with&hellip;</a></li><!--
             --><% } %><!--
             --><% if (ctx.canDelete) { %><!--
-                --><li data-name='delete'><a href='/tag/<%- ctx.tag.names[0] %>/delete'>Delete</a></li><!--
+                --><li data-name='delete'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/delete'>Delete</a></li><!--
             --><% } %><!--
         --></ul><!--
     --></nav>
diff --git a/client/html/tag_category_row.tpl b/client/html/tag_category_row.tpl
index db89fa2..18897ea 100644
--- a/client/html/tag_category_row.tpl
+++ b/client/html/tag_category_row.tpl
@@ -17,7 +17,7 @@
     </td>
     <td class='usages'>
         <% if (ctx.tagCategory.name) { %>
-            <a href='/tags/text=category:<%- ctx.tagCategory.name %>'>
+            <a href='/tags/text=category:<%- encodeURIComponent(ctx.tagCategory.name) %>'>
                 <%- ctx.tagCategory.tagCount %>
             </a>
         <% } else { %>
diff --git a/client/html/tag_delete.tpl b/client/html/tag_delete.tpl
index d74ec5f..6f53c23 100644
--- a/client/html/tag_delete.tpl
+++ b/client/html/tag_delete.tpl
@@ -2,7 +2,7 @@
     <form>
         <% if (ctx.tag.postCount) { %>
             <p>For extra <s>paranoia</s> safety, only tags that are unused can be deleted.</p>
-            <p>Check <a href='/posts/text=<%- ctx.tag.names[0] %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p>
+            <p>Check <a href='/posts/text=<%- encodeURIComponent(ctx.tag.names[0]) %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p>
         <% } else { %>
             <div class='input'>
                 <ul>
diff --git a/client/html/user.tpl b/client/html/user.tpl
index ad00cdb..4e7d00a 100644
--- a/client/html/user.tpl
+++ b/client/html/user.tpl
@@ -2,12 +2,12 @@
     <h1><%- ctx.user.name %></h1>
     <nav class='buttons'><!--
         --><ul><!--
-            --><li data-name='summary'><a href='/user/<%- ctx.user.name %>'>Summary</a></li><!--
+            --><li data-name='summary'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>'>Summary</a></li><!--
             --><% if (ctx.canEditAnything) { %><!--
-                --><li data-name='edit'><a href='/user/<%- ctx.user.name %>/edit'>Account settings</a></li><!--
+                --><li data-name='edit'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/edit'>Account settings</a></li><!--
             --><% } %><!--
             --><% if (ctx.canDelete) { %><!--
-                --><li data-name='delete'><a href='/user/<%- ctx.user.name %>/delete'>Account deletion</a></li><!--
+                --><li data-name='delete'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/delete'>Account deletion</a></li><!--
             --><% } %><!--
         --></ul><!--
     --></nav>
diff --git a/client/html/user_summary.tpl b/client/html/user_summary.tpl
index 3595ea5..314db77 100644
--- a/client/html/user_summary.tpl
+++ b/client/html/user_summary.tpl
@@ -10,9 +10,9 @@
         <nav>
             <p><strong>Quick links</strong></p>
             <ul>
-                <li><a href='/posts/text=submit:<%- ctx.user.name %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
-                <li><a href='/posts/text=fav:<%- ctx.user.name %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
-                <li><a href='/posts/text=comment:<%- ctx.user.name %>'><%- ctx.user.commentCount %> comments</a></li>
+                <li><a href='/posts/text=submit:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
+                <li><a href='/posts/text=fav:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
+                <li><a href='/posts/text=comment:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.commentCount %> comments</a></li>
             </ul>
         </nav>
 
diff --git a/client/html/users_page.tpl b/client/html/users_page.tpl
index 58ae01b..61b07f8 100644
--- a/client/html/users_page.tpl
+++ b/client/html/users_page.tpl
@@ -4,7 +4,7 @@
             --><li>
                 <div class='wrapper'>
                     <% if (ctx.canViewUsers) { %>
-                        <a class='image' href='/user/<%- user.name %>'>
+                        <a class='image' href='/user/<%- encodeURIComponent(user.name) %>'>
                     <% } %>
                         <%= ctx.makeThumbnail(user.avatarUrl) %>
                     <% if (ctx.canViewUsers) { %>
@@ -12,7 +12,7 @@
                     <% } %>
                     <div class='details'>
                         <% if (ctx.canViewUsers) { %>
-                            <a href='/user/<%- user.name %>'>
+                            <a href='/user/<%- encodeURIComponent(user.name) %>'>
                         <% } %>
                             <%- user.name %>
                         <% if (ctx.canViewUsers) { %>
diff --git a/client/js/util/views.js b/client/js/util/views.js
index b3b401a..a8af438 100644
--- a/client/js/util/views.js
+++ b/client/js/util/views.js
@@ -149,7 +149,8 @@ function makeColorInput(options) {
 function makePostLink(id) {
     const text = '@' + id;
     return api.hasPrivilege('posts:view') ?
-        makeNonVoidElement('a', {'href': '/post/' + id}, text) :
+        makeNonVoidElement(
+            'a', {'href': '/post/' + encodeURIComponent(id)}, text) :
         text;
 }
 
@@ -159,7 +160,7 @@ function makeTagLink(name) {
     return api.hasPrivilege('tags:view') ?
         makeNonVoidElement(
             'a', {
-                'href': '/tag/' + name,
+                'href': '/tag/' + encodeURIComponent(name),
                 'class': misc.makeCssName(category, 'tag'),
             }, name) :
         makeNonVoidElement(
@@ -172,7 +173,8 @@ function makeTagLink(name) {
 function makeUserLink(user) {
     const text = makeThumbnail(user.avatarUrl) + user.name;
     const link = api.hasPrivilege('users:view') ?
-        makeNonVoidElement('a', {'href': '/user/' + user.name}, text) :
+        makeNonVoidElement(
+            'a', {'href': '/user/' + encodeURIComponent(user.name)}, text) :
         text;
     return makeNonVoidElement('span', {class: 'user'}, link);
 }