escape HTML unsafe characters properly

jenkinsci · Sep 8, 2012 · 6dcbef2 · 6dcbef2
1 parent 4c405be
commit 6dcbef2
Show file tree

Hide file tree

Showing 12 changed files with 18 additions and 5 deletions.
diff --git a/src/main/java/hudson/plugins/violations/render/FileModelProxy.java b/src/main/java/hudson/plugins/violations/render/FileModelProxy.java
@@ -2,6 +2,8 @@
 
 import java.util.Map;
 import java.util.Set;
+
+import hudson.Functions;
 import hudson.model.AbstractBuild;
 
 import java.util.logging.Level;
@@ -249,14 +251,14 @@ public String severityColumn(Violation v) {
         b.append("<tr>\n");
         b.append("<th>Class</th>\n");
         b.append("<td>");
-        b.append(v.getSource());
+        b.append(Functions.escape(v.getSource()));
         b.append("</td>\n");
         b.append("</tr>\n");
 
         b.append("<tr>\n");
         b.append("<th>Detail</th>\n");
         b.append("<td class='message'>");
-        b.append(v.getSourceDetail());
+        b.append(Functions.escape(v.getSourceDetail()));
         b.append("</td>\n");
         b.append("</tr>\n");
 

diff --git a/src/main/resources/hudson/plugins/violations/ViolationsBuildAction/summary.jelly b/src/main/resources/hudson/plugins/violations/ViolationsBuildAction/summary.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core"
          xmlns:st="jelly:stapler"
          xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson"

diff --git a/src/main/resources/hudson/plugins/violations/ViolationsProjectAction/floatingBox.jelly b/src/main/resources/hudson/plugins/violations/ViolationsProjectAction/floatingBox.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core"
          xmlns:st="jelly:stapler"
          xmlns:d="jelly:define"

diff --git a/src/main/resources/hudson/plugins/violations/ViolationsPublisher/config.jelly b/src/main/resources/hudson/plugins/violations/ViolationsPublisher/config.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler"
          xmlns:d="jelly:define" xmlns:l="/lib/layout"
          xmlns:t="/lib/hudson" xmlns:f="/lib/form">

diff --git a/src/main/resources/hudson/plugins/violations/ViolationsReport/index.jelly b/src/main/resources/hudson/plugins/violations/ViolationsReport/index.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout"
          xmlns:t="/lib/hudson" xmlns:f="/lib/form"
          xmlns:v="/hudson/plugins/violations/tags"

diff --git a/...n/resources/hudson/plugins/violations/hudson/maven/ViolationsAggregatedReport/index.jelly b/...n/resources/hudson/plugins/violations/hudson/maven/ViolationsAggregatedReport/index.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly
   xmlns:j="jelly:core" xmlns:st="jelly:stapler"
   xmlns:d="jelly:define" xmlns:l="/lib/layout"

diff --git a/...hudson/plugins/violations/hudson/maven/ViolationsMavenAggregatedBuildAction/summary.jelly b/...hudson/plugins/violations/hudson/maven/ViolationsMavenAggregatedBuildAction/summary.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core"
          xmlns:st="jelly:stapler"
          xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson"

diff --git a/.../plugins/violations/hudson/maven/ViolationsMavenAggregatedProjectAction/floatingBox.jelly b/.../plugins/violations/hudson/maven/ViolationsMavenAggregatedProjectAction/floatingBox.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core"
          xmlns:st="jelly:stapler"
          xmlns:d="jelly:define"

diff --git a/src/main/resources/hudson/plugins/violations/render/FileModelProxy/index.jelly b/src/main/resources/hudson/plugins/violations/render/FileModelProxy/index.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler"
          xmlns:d="jelly:define" xmlns:l="/lib/layout"
          xmlns:t="/lib/hudson" xmlns:f="/lib/form">
@@ -27,7 +28,7 @@
       <j:forEach var="t" items="${model.typeMap.entrySet()}">
         <table class="pane">
           <tbody>
-            <tr><td class="pane-header" colspan="5">${it.typeLine(t.key)}</td></tr>
+            <tr><td class="pane-header" colspan="5"><j:out value="${it.typeLine(t.key)}"/></td></tr>
             <j:forEach var="v" items="${t.value}">
               <tr>
                 <td class="pane">
@@ -39,7 +40,7 @@
                   </j:if>
                 </td>
                 <!--<td class="pane">${v.source}</td> -->
-                <td class="pane">${it.severityColumn(v)}</td>
+                <td class="pane"><j:out value="${it.severityColumn(v)}"/></td>
                 <td class="pane" width="99%">${v.message}</td>
               </tr>
             </j:forEach>
@@ -48,7 +49,7 @@
         <p></p>
       </j:forEach>
 
-      ${it.fileContent}
+      <j:out value="${it.fileContent}"/>
 
       <!--
       <j:set var="line" value="${model.nextLine}"/>

diff --git a/src/main/resources/hudson/plugins/violations/render/NoViolationsFile/index.jelly b/src/main/resources/hudson/plugins/violations/render/NoViolationsFile/index.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler"
          xmlns:d="jelly:define" xmlns:l="/lib/layout"
          xmlns:t="/lib/hudson" xmlns:f="/lib/form">

diff --git a/src/main/resources/hudson/plugins/violations/tags/numberdiff.jelly b/src/main/resources/hudson/plugins/violations/tags/numberdiff.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly
   xmlns:j="jelly:core"
   xmlns:st="jelly:stapler"

diff --git a/src/main/resources/hudson/plugins/violations/tags/reporttable.jelly b/src/main/resources/hudson/plugins/violations/tags/reporttable.jelly
@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <!--
      Attributes:
      report: the violationsReport (may be null)