From 43040f1fda012aad3fdd47f4108a54990bd4c914 Mon Sep 17 00:00:00 2001
From: Michael Vitz <michael.vitz@innoq.com>
Date: Mon, 29 Dec 2014 10:16:38 +0100
Subject: [PATCH 1/2] Add URI escaping for hashtags.

Hashtags are now able to contain characters which aren't valid as query
parameter because these are now escaped.

Fixes #157.
---
 src/statuses/views/common.clj |  6 ++++--
 test/linkification.clj        | 13 ++++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/statuses/views/common.clj b/src/statuses/views/common.clj
index 82b19a1..45d2c60 100644
--- a/src/statuses/views/common.clj
+++ b/src/statuses/views/common.clj
@@ -1,5 +1,7 @@
 (ns statuses.views.common
-  (:require [hiccup.util :refer [escape-html]]))
+  (:require [hiccup.core :refer [html]]
+            [hiccup.element :refer [link-to]]
+            [hiccup.util :refer [escape-html url]]))
 
 (defn icon [icon-name]
   [:span {:class (str "fa fa-" icon-name)}])
@@ -11,7 +13,7 @@
 
 (defn linkify [text]
   (let [handle  (fn [[_ m]] (str "@<a href='/statuses/updates?author=" m "'>" m "</a>"))
-        hashtag (fn [[_ m]] (str "#<a href='/statuses/updates?query=%23" m "'>" m "</a>"))
+        hashtag (fn [[_ m]] (html "#" (link-to (url "/statuses/updates" {:query (str "#" m)}) m)))
         anchor  (fn [[m _]] (str "<a href='" m "'>" m "</a>"))
         mailto  (fn [[m _]] (str "<a href='mailto:" m "'>" m "</a>"))]
     (-> text
diff --git a/test/linkification.clj b/test/linkification.clj
index a9cfa1a..4c1ad5c 100644
--- a/test/linkification.clj
+++ b/test/linkification.clj
@@ -19,13 +19,16 @@
 (deftest linkify-hashtags
   (is (=
       (linkify "lorem #hashtag ipsum")
-      "lorem #<a href='/statuses/updates?query=%23hashtag'>hashtag</a> ipsum"))
+      "lorem #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> ipsum"))
   (is (=
       (linkify "#hashtag lipsum")
-      "#<a href='/statuses/updates?query=%23hashtag'>hashtag</a> lipsum"))
+      "#<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> lipsum"))
   (is (=
       (linkify "lipsum #hashtag")
-      "lipsum #<a href='/statuses/updates?query=%23hashtag'>hashtag</a>")))
+      "lipsum #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>"))
+  (is (=
+      (linkify "#WTF^2")
+      "#<a href=\"/statuses/updates?query=%23WTF%5E2\">WTF^2</a>")))
 
 (deftest linkify-uris-with-fragment-identifier
   (is (=
@@ -33,10 +36,10 @@
       "lorem <a href='http://example.org#anchor'>http://example.org#anchor</a> ipsum")))
   (is (=
       (linkify "#hashtag lipsum http://example.org#anchor-name")
-      "#<a href='/statuses/updates?query=%23hashtag'>hashtag</a> lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a>"))
+      "#<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a>"))
   (is (=
       (linkify "lipsum http://example.org#anchor-name #hashtag")
-      "lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a> #<a href='/statuses/updates?query=%23hashtag'>hashtag</a>"))
+      "lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a> #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>"))
 
 (deftest linkify-email-addresses
   (is (=

From 09accfeda4894dfaf10ca72db3ace0caff5fdb71 Mon Sep 17 00:00:00 2001
From: Michael Vitz <michael.vitz@innoq.com>
Date: Mon, 29 Dec 2014 10:32:07 +0100
Subject: [PATCH 2/2] Use hiccup for linkifying.

Using hiccup deals with many URL related stuff like escaping which
should be safer than assembling links by ourself.
---
 src/statuses/views/common.clj     | 10 +++++-----
 test/linkification.clj            | 26 +++++++++++++-------------
 test/statuses/views/test/atom.clj |  2 +-
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/src/statuses/views/common.clj b/src/statuses/views/common.clj
index 45d2c60..4f617e6 100644
--- a/src/statuses/views/common.clj
+++ b/src/statuses/views/common.clj
@@ -1,6 +1,6 @@
 (ns statuses.views.common
   (:require [hiccup.core :refer [html]]
-            [hiccup.element :refer [link-to]]
+            [hiccup.element :refer [link-to mail-to]]
             [hiccup.util :refer [escape-html url]]))
 
 (defn icon [icon-name]
@@ -12,10 +12,10 @@
 (def email #"([a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)")
 
 (defn linkify [text]
-  (let [handle  (fn [[_ m]] (str "@<a href='/statuses/updates?author=" m "'>" m "</a>"))
-        hashtag (fn [[_ m]] (html "#" (link-to (url "/statuses/updates" {:query (str "#" m)}) m)))
-        anchor  (fn [[m _]] (str "<a href='" m "'>" m "</a>"))
-        mailto  (fn [[m _]] (str "<a href='mailto:" m "'>" m "</a>"))]
+  (letfn [(handle  [[_ m]] (html "@" (link-to (url "/statuses/updates" {:author m}) m)))
+          (hashtag [[_ m]] (html "#" (link-to (url "/statuses/updates" {:query (str "#" m)}) m)))
+          (anchor  [[m _]] (html (link-to m m)))
+          (mailto  [[m _]] (html (mail-to m)))]
     (-> text
         escape-html
         (clojure.string/replace #"(?:^|(?<=\s))@(\w+)" handle)
diff --git a/test/linkification.clj b/test/linkification.clj
index 4c1ad5c..ffda2f1 100644
--- a/test/linkification.clj
+++ b/test/linkification.clj
@@ -8,13 +8,13 @@
 (deftest linkify-uris
   (is (=
       (linkify "lorem http://example.org ipsum")
-      "lorem <a href='http://example.org'>http://example.org</a> ipsum"))
+      "lorem <a href=\"http://example.org\">http://example.org</a> ipsum"))
   (is (=
       (linkify "http://example.org lipsum")
-      "<a href='http://example.org'>http://example.org</a> lipsum"))
+      "<a href=\"http://example.org\">http://example.org</a> lipsum"))
   (is (=
       (linkify "lipsum http://example.org")
-      "lipsum <a href='http://example.org'>http://example.org</a>")))
+      "lipsum <a href=\"http://example.org\">http://example.org</a>")))
 
 (deftest linkify-hashtags
   (is (=
@@ -33,38 +33,38 @@
 (deftest linkify-uris-with-fragment-identifier
   (is (=
       (linkify "lorem http://example.org#anchor ipsum")
-      "lorem <a href='http://example.org#anchor'>http://example.org#anchor</a> ipsum")))
+      "lorem <a href=\"http://example.org#anchor\">http://example.org#anchor</a> ipsum")))
   (is (=
       (linkify "#hashtag lipsum http://example.org#anchor-name")
-      "#<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a>"))
+      "#<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> lipsum <a href=\"http://example.org#anchor-name\">http://example.org#anchor-name</a>"))
   (is (=
       (linkify "lipsum http://example.org#anchor-name #hashtag")
-      "lipsum <a href='http://example.org#anchor-name'>http://example.org#anchor-name</a> #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>"))
+      "lipsum <a href=\"http://example.org#anchor-name\">http://example.org#anchor-name</a> #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>"))
 
 (deftest linkify-email-addresses
   (is (=
       (linkify "hello foo@example.org how are you")
-      "hello <a href='mailto:foo@example.org'>foo@example.org</a> how are you")))
+      "hello <a href=\"mailto:foo@example.org\">foo@example.org</a> how are you")))
 
 (deftest linkify-mentions
   (is (=
       (linkify "@foo")
-      "@<a href='/statuses/updates?author=foo'>foo</a>"))
+      "@<a href=\"/statuses/updates?author=foo\">foo</a>"))
   (is (=
       (linkify "@foo how are you")
-      "@<a href='/statuses/updates?author=foo'>foo</a> how are you"))
+      "@<a href=\"/statuses/updates?author=foo\">foo</a> how are you"))
   (is (=
       (linkify "how are you @foo")
-      "how are you @<a href='/statuses/updates?author=foo'>foo</a>"))
+      "how are you @<a href=\"/statuses/updates?author=foo\">foo</a>"))
   (is (=
       (linkify "nice to see @foo again")
-      "nice to see @<a href='/statuses/updates?author=foo'>foo</a> again"))
+      "nice to see @<a href=\"/statuses/updates?author=foo\">foo</a> again"))
   (is (=
       (linkify "@?")
       "@?"))
   (is (=
       (linkify "@foo: test")
-      "@<a href='/statuses/updates?author=foo'>foo</a>: test"))
+      "@<a href=\"/statuses/updates?author=foo\">foo</a>: test"))
   (is (=
       (linkify "@foo.bar test")
-      "@<a href='/statuses/updates?author=foo'>foo</a>.bar test")))
+      "@<a href=\"/statuses/updates?author=foo\">foo</a>.bar test")))
diff --git a/test/statuses/views/test/atom.clj b/test/statuses/views/test/atom.clj
index 6718d62..145fd87 100644
--- a/test/statuses/views/test/atom.clj
+++ b/test/statuses/views/test/atom.clj
@@ -56,7 +56,7 @@
 
     (is (= (get (entry (feed-with-entry {:text "@bar: http://www.test.de"})) 3)
            [:content {:type "html"}
-            "@&lt;a href=&apos;/statuses/updates?author=bar&apos;&gt;bar&lt;/a&gt;: &lt;a href=&apos;http://www.test.de&apos;&gt;http://www.test.de&lt;/a&gt;"])
+            "@&lt;a href=&quot;/statuses/updates?author=bar&quot;&gt;bar&lt;/a&gt;: &lt;a href=&quot;http://www.test.de&quot;&gt;http://www.test.de&lt;/a&gt;"])
       "content is linkified and escaped")
 
     (is (= (get (entry (feed-with-entry {:id 1337})) 4)