+3 -2

internal/handler/quote.go

reviewed

··· 2 2 3 3 import ( 4 4 "fmt" 5 5 + "html" 5 6 "net/http" 6 7 ) 7 8 ··· 9 10 func (h *Handler) QuoteHandler(w http.ResponseWriter, r *http.Request) { 10 11 ctx := r.Context() 11 12 12 12 - quote := r.FormValue("quote") 13 13 - author := r.FormValue("author") 13 13 + quote := html.UnescapeString(r.FormValue("quote")) 14 14 + author := html.UnescapeString(r.FormValue("author")) 14 15 15 16 if quote != "" && author != "" { 16 17 // Perl code did uri_unescape. net/http request parsing handles standard form encoding.

+63

internal/handler/quote_test.go

reviewed

··· 1 1 + package handler 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "net/http" 6 6 + "net/http/httptest" 7 7 + "net/url" 8 8 + "strings" 9 9 + "testing" 10 10 + "tumble/internal/config" 11 11 + "tumble/internal/data" 12 12 + ) 13 13 + 14 14 + // MockStore implements data.Store for testing 15 15 + type MockStore struct { 16 16 + data.Store // Embed interface to skip implementing everything 17 17 + LastQuote string 18 18 + LastAuthor string 19 19 + } 20 20 + 21 21 + func (m *MockStore) InsertQuote(ctx context.Context, quote, author string) error { 22 22 + m.LastQuote = quote 23 23 + m.LastAuthor = author 24 24 + return nil 25 25 + } 26 26 + 27 27 + func TestQuoteHandler_UnescapesInput(t *testing.T) { 28 28 + // Setup 29 29 + mockStore := &MockStore{} 30 30 + h := &Handler{ 31 31 + Store: mockStore, 32 32 + Config: &config.Config{}, 33 33 + } 34 34 + 35 35 + // Test Case: Encoded HTML entities 36 36 + // "I&quot;ve been to fort Dicks" -> "I"ve been to fort Dicks" 37 37 + form := url.Values{} 38 38 + form.Add("quote", "I&quot;ve been to fort Dicks") 39 39 + form.Add("author", "james&lt;white&gt;") 40 40 + 41 41 + req := httptest.NewRequest("POST", "/quote/", strings.NewReader(form.Encode())) 42 42 + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 43 43 + w := httptest.NewRecorder() 44 44 + 45 45 + // Execute 46 46 + h.QuoteHandler(w, req) 47 47 + 48 48 + // Verify 49 49 + if w.Code != http.StatusOK { 50 50 + t.Errorf("Expected status 200, got %d", w.Code) 51 51 + } 52 52 + 53 53 + // Check if the store received the UNESCAPED string 54 54 + expectedQuote := "I\"ve been to fort Dicks" 55 55 + if mockStore.LastQuote != expectedQuote { 56 56 + t.Errorf("Expected quote %q, got %q", expectedQuote, mockStore.LastQuote) 57 57 + } 58 58 + 59 59 + expectedAuthor := "james<white>" 60 60 + if mockStore.LastAuthor != expectedAuthor { 61 61 + t.Errorf("Expected author %q, got %q", expectedAuthor, mockStore.LastAuthor) 62 62 + } 63 63 + }

+1 -1

internal/templates/views/index.html

reviewed

··· 162 162 return div.innerHTML; 163 163 } 164 164 165 165 - // Global handler for video replacement 165 165 + // Global handler for video replacemen 166 166 window.replaceWithVideo = function(container) { 167 167 // Find URL from parent item 168 168 var item = container.closest('.item');