🐛 Fix b3log#12344

88250 · 88250 · commit 6353abbcef66 · 2017-08-31T00:07:39.000+08:00
diff --git a/src/main/java/org/b3log/solo/processor/CommentProcessor.java b/src/main/java/org/b3log/solo/processor/CommentProcessor.java
@@ -15,7 +15,6 @@
  */
 package org.b3log.solo.processor;
 
-
 import freemarker.template.Template;
 import org.b3log.latke.Keys;
 import org.b3log.latke.ioc.inject.Inject;
@@ -48,13 +47,12 @@
 import java.util.HashMap;
 import java.util.Map;
 
-
 /**
  * Comment processor.
  *
  * @author <a href="http://88250.b3log.org">Liang Ding</a>
  * @author ArmstrongCN
- * @version 1.3.2.14, May 21, 2017
+ * @version 1.3.3.0, Aug 31, 2017
  * @since 0.3.1
  */
 @RequestProcessor
@@ -295,7 +293,6 @@ public void addArticleComment(final HTTPRequestContext context) throws ServletEx
                 template.process(dataModel, stringWriter);
                 stringWriter.close();
                 String cmtTpl = stringWriter.toString();
-                cmtTpl = Emotions.convert(cmtTpl);
 
                 addResult.put("cmtTpl", cmtTpl);
             } catch (final Exception e) {
diff --git a/src/main/java/org/b3log/solo/service/CommentMgmtService.java b/src/main/java/org/b3log/solo/service/CommentMgmtService.java
@@ -58,7 +58,7 @@
  * Comment management service.
  *
  * @author <a href="http://88250.b3log.org">Liang Ding</a>
- * @version 1.3.2.12, Jul 20, 2017
+ * @version 1.3.3.0, Aug 31, 2017
  * @since 0.3.5
  */
 @Service
@@ -355,13 +355,7 @@ public JSONObject checkAddCommentRequest(final JSONObject requestJSONObject) {
             commentName = Jsoup.clean(commentName, Whitelist.none());
             requestJSONObject.put(Comment.COMMENT_NAME, commentName);
 
-            // content Markdown & XSS process 
-            commentContent = Markdowns.toHTML(commentContent);
-            commentContent = Jsoup.clean(commentContent, Whitelist.relaxed());
-
-            // Emoji
             commentContent = Emotions.toAliases(commentContent);
-
             requestJSONObject.put(Comment.COMMENT_CONTENT, commentContent);
 
             return ret;
@@ -582,7 +576,10 @@ public JSONObject addArticleComment(final JSONObject requestJSONObject) throws S
             ret.put(Common.PERMALINK, article.getString(Article.ARTICLE_PERMALINK));
 
             ret.put(Comment.COMMENT_NAME, commentName);
-            ret.put(Comment.COMMENT_CONTENT, commentContent);
+            String cmtContent = Emotions.convert(commentContent);
+            cmtContent = Markdowns.toHTML(cmtContent);
+            cmtContent = Jsoup.clean(cmtContent, Whitelist.relaxed());
+            ret.put(Comment.COMMENT_CONTENT, cmtContent);
             ret.put(Comment.COMMENT_URL, commentURL);
 
             if (!Strings.isEmptyOrNull(originalCommentId)) {
diff --git a/src/main/java/org/b3log/solo/service/CommentQueryService.java b/src/main/java/org/b3log/solo/service/CommentQueryService.java
@@ -40,6 +40,8 @@
 import org.b3log.solo.util.Thumbnails;
 import org.json.JSONArray;
 import org.json.JSONObject;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -50,7 +52,7 @@
  * Comment query service.
  *
  * @author <a href="http://88250.b3log.org">Liang Ding</a>
- * @version 1.3.1.9, Jun 15, 2017
+ * @version 1.3.2.0, Aug 31, 2017
  * @since 0.3.5
  */
 @Service
@@ -190,6 +192,7 @@ public JSONObject getComments(final JSONObject requestJSONObject) throws Service
                 String commentContent = comment.optString(Comment.COMMENT_CONTENT);
                 commentContent = Emotions.convert(commentContent);
                 commentContent = Markdowns.toHTML(commentContent);
+                commentContent = Jsoup.clean(commentContent, Whitelist.relaxed());
                 comment.put(Comment.COMMENT_CONTENT, commentContent);
 
                 comment.put(Comment.COMMENT_TIME, ((Date) comment.get(Comment.COMMENT_DATE)).getTime());
@@ -253,6 +256,7 @@ public List<JSONObject> getComments(final String onId) throws ServiceException {
                 String commentContent = comment.optString(Comment.COMMENT_CONTENT);
                 commentContent = Emotions.convert(commentContent);
                 commentContent = Markdowns.toHTML(commentContent);
+                commentContent = Jsoup.clean(commentContent, Whitelist.relaxed());
                 comment.put(Comment.COMMENT_CONTENT, commentContent);
 
                 ret.add(comment);
