From 0ff59644d8e804bcab928d184b31a5e6cdc2f6ed Mon Sep 17 00:00:00 2001
From: Lisa Junger <ljunger@thoughtworks.com>
Date: Tue, 6 Jan 2015 16:30:57 +0100
Subject: Issue #182: Escape special chars in tag list.

---
 web-ui/app/js/services/mail_service.js         |  2 +-
 web-ui/app/js/tags/ui/tag.js                   | 19 +++++++++++++++++--
 web-ui/test/spec/services/mail_service.spec.js |  2 +-
 3 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'web-ui')

diff --git a/web-ui/app/js/services/mail_service.js b/web-ui/app/js/services/mail_service.js
index 24bceb31..2e92f542 100644
--- a/web-ui/app/js/services/mail_service.js
+++ b/web-ui/app/js/services/mail_service.js
@@ -184,7 +184,7 @@ define(
       };
 
       function escaped(s) {
-        return encodeURI(s);
+        return encodeURIComponent(s);
       }
 
       this.excludeTrashedEmailsForDraftsAndSent = function (query) {
diff --git a/web-ui/app/js/tags/ui/tag.js b/web-ui/app/js/tags/ui/tag.js
index a77155a7..0d2d2ebf 100644
--- a/web-ui/app/js/tags/ui/tag.js
+++ b/web-ui/app/js/tags/ui/tag.js
@@ -43,7 +43,7 @@ define(
       this.viewFor = function (tag, template) {
         return template({
           tagName: tag.default ? i18n('tags.' + tag.name) : tag.name,
-          ident: tag.ident,
+          ident: this.hashIdent(tag.ident),
           count: this.badgeType(tag) === 'total' ? tag.counts.total : (tag.counts.total - tag.counts.read),
           displayBadge: this.displayBadge(tag),
           badgeType: this.badgeType(tag),
@@ -89,6 +89,21 @@ define(
         }
       };
 
+      this.hashIdent = function(ident) {
+        if (typeof ident === 'undefined') {
+          return '';
+        }
+        if (typeof ident === 'number') {
+          return ident;
+        }
+        if (ident.match(/^[a-zA-Z0-9 ]+$/)) {
+          return ident;
+        }
+
+        /*jslint bitwise: true */
+        return Math.abs(String(ident).split('').reduce(function(a,b){a=((a<<5)-a)+b.charCodeAt(0);return a&a;},0));
+      };
+
       this.removeSearchingClass = function() {
         if (this.attr.tag.name === 'all'){
           this.$node.removeClass('searching');
@@ -106,7 +121,7 @@ define(
       this.renderAndAttach = function (parent, data) {
         var rendered = this.viewFor(data.tag, templates.tags.tag);
         parent.append(rendered);
-        this.initialize('#tag-' + data.tag.ident, data);
+        this.initialize('#tag-' + this.hashIdent(data.tag.ident), data);
         this.on(parent, events.tags.teardown, this.teardown);
       };
     }
diff --git a/web-ui/test/spec/services/mail_service.spec.js b/web-ui/test/spec/services/mail_service.spec.js
index 55ca81c0..7e95f20a 100644
--- a/web-ui/test/spec/services/mail_service.spec.js
+++ b/web-ui/test/spec/services/mail_service.spec.js
@@ -201,7 +201,7 @@ describeComponent('services/mail_service', function () {
 
     this.component.trigger(Pixelated.events.ui.mails.fetchByTag, {tag: 'new tag'});
 
-    expect($.ajax.calls.mostRecent().args[0]).toContain(encodeURI('tag:"new tag"'));
+    expect($.ajax.calls.mostRecent().args[0]).toContain(encodeURIComponent('tag:"new tag"'));
   });
 
   it('sends the previous tag when mails:refresh is called without a tag (this happens when the refresher calls it)', function () {
-- 
cgit v1.2.3