From b29e88c18eefae19778e6a761e8b1af6480c8c84 Mon Sep 17 00:00:00 2001
From: patbos <patbos@patbos.com>
Date: Mon, 10 Mar 2014 10:23:13 +0100
Subject: [PATCH] JENKINS-22100 Added escape of messages in changelog

---
 src/main/webapp/pipe.js          | 59 +++++++++++++++++---------------
 src/test/javascript/pipe-test.js | 26 ++++++++++++++
 2 files changed, 58 insertions(+), 27 deletions(-)

diff --git a/src/main/webapp/pipe.js b/src/main/webapp/pipe.js
index 27215f0b3..f4d727af0 100644
--- a/src/main/webapp/pipe.js
+++ b/src/main/webapp/pipe.js
@@ -12,7 +12,7 @@ function updatePipelines(divNames, errorDiv, view, showAvatars, showChanges, tim
             }, timeout);
         },
         error: function (xhr, status, error) {
-            Q("#" + errorDiv).html('Error communicating to server! ' + error);
+            Q("#" + errorDiv).html('Error communicating to server! ' + htmlEncode(error));
             Q("#" + errorDiv).show();
             plumb.repaintEverything();
             setTimeout(function () {
@@ -44,7 +44,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
         for (var c = 0; c < data.pipelines.length; c++) {
             var component = data.pipelines[c];
             var html = "<section class='component'>";
-            html = html + "<h1>" + component.name + "</h1>";
+            html = html + "<h1>" + htmlEncode(component.name) + "</h1>";
             if (component.pipelines.length == 0) {
                 html = html + "No builds done yet.";
             }
@@ -56,7 +56,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                 if (pipeline.triggeredBy && pipeline.triggeredBy.length > 0) {
                     for (var y = 0; y < pipeline.triggeredBy.length; y++) {
                         var trigger = pipeline.triggeredBy[y];
-                        triggered = triggered + ' <span class="' + trigger.type + '">' + trigger.description + '</span>';
+                        triggered = triggered + ' <span class="' + trigger.type + '">' + htmlEncode(trigger.description) + '</span>';
                     }
                     if (y < pipeline.triggeredBy.length - 1) {
                         triggered = triggered + ", ";
@@ -66,35 +66,17 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                 if (pipeline.aggregated) {
                     html = html + '<h1>Aggregated view</h1>'
                 } else {
-                    html = html + '<h1>' + pipeline.version;
+                    html = html + '<h1>' + htmlEncode(pipeline.version);
                     if (triggered != "") {
                         html = html + " triggered by " + triggered;
                     }
                     html = html + ' started <span id="' + pipeline.id + '\">' + formatDate(pipeline.timestamp, lastUpdate) + '</span></h1>';
 
                     if (showChanges && pipeline.changes && pipeline.changes.length > 0) {
-                        html = html + '<div class="changes">';
-                        html = html + '<h1>Changes:</h1>';
-                        for (var o = 0; o < pipeline.changes.length; o++) {
-                            html = html + '<div class="change">';
-                            var change = pipeline.changes[o];
-                            html = html + '<div class="change-author">' + change.author.name + '</div>';
-                            if (change.changeLink) {
-                                html = html + '<div class="change-message"><a href="' + change.changeLink + '">' + change.message + '</a></div>';
-                            } else {
-                                html = html + '<div class="change-message">' + change.message + '</div>';
-                            }
-                            html = html + '</div>';
-                        }
-                        html = html + '</div>';
-
-
+                        html = html + generateChangeLog(pipeline.changes);
                     }
-
-
                 }
 
-
                 var row = 0;
                 var column = 0;
 
@@ -116,7 +98,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                     }
 
                     html = html + '<section id="' + getStageId(stage.name, i) + '" class="stage ' + getStageClassName(stage.name) + '">';
-                    html = html + '<div class="stage-header"><span class="stage-name">' + stage.name + '</span>';
+                    html = html + '<div class="stage-header"><span class="stage-name">' + htmlEncode(stage.name) + '</span>';
                     if (!pipeline.aggregated) {
                         html = html + '</div>'
                     } else {
@@ -124,7 +106,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                         if (!stageversion) {
                             stageversion = "N/A"
                         }
-                        html = html + ' <span class="stage-version">' + stageversion + '</span></div>'
+                        html = html + ' <span class="stage-version">' + htmlEncode(stageversion) + '</span></div>'
                     }
                     for (var k = 0; k < stage.tasks.length; k++) {
                         var task = stage.tasks[k];
@@ -136,7 +118,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                         tasks.push({id: id, taskId: task.id, buildId: task.buildId});
 
                         html = html + "<div id=\"" + id + "\" class=\"task " + task.status.type +
-                            "\"><div class=\"taskname\"><a href=\"" + task.link + "\">" + task.name + "</a></div>";
+                            "\"><div class=\"taskname\"><a href=\"" + task.link + "\">" + htmlEncode(task.name) + "</a></div>";
 
                         if (timestamp != "") {
                             html = html + "<span id=\"" + id + ".timestamp\" class='timestamp'>" + timestamp + "</span>"
@@ -186,7 +168,7 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
                                         [ "Arrow", { location: 1}]
                                     ],
                                     cssClass: "relation",
-                                    connector: ["Flowchart", { stub: 25, gap: 2, midpoint: 1, alwaysRespectStubs:true } ],
+                                    connector: ["Flowchart", { stub: 25, gap: 2, midpoint: 1, alwaysRespectStubs: true } ],
                                     paintStyle: { lineWidth: 2, strokeStyle: "rgba(0,0,0,0.5)" },
                                     drawEndpoints: false
                                 });
@@ -226,6 +208,24 @@ function refreshPipelines(data, divNames, errorDiv, view, showAvatars, showChang
     plumb.repaintEverything();
 }
 
+function generateChangeLog(changes) {
+    var html = '<div class="changes">';
+    html = html + '<h1>Changes:</h1>';
+    for (var i = 0; i < changes.length; i++) {
+        html = html + '<div class="change">';
+        var change = changes[i];
+        html = html + '<div class="change-author">' + htmlEncode(change.author.name) + '</div>';
+        if (change.changeLink) {
+            html = html + '<div class="change-message"><a href="' + change.changeLink + '">' + htmlEncode(change.message) + '</a></div>';
+        } else {
+            html = html + '<div class="change-message">' + htmlEncode(change.message) + '</div>';
+        }
+        html = html + '</div>';
+    }
+    html = html + '</div>';
+    return html;
+}
+
 function getStageClassName(stagename) {
     return "stage_" + replace(stagename, " ", "_");
 }
@@ -268,6 +268,11 @@ function formatDuration(millis) {
     return "0 sec";
 }
 
+function htmlEncode(html) {
+    html = document.createElement('a').appendChild(
+        document.createTextNode(html)).parentNode.innerHTML;
+    return html.replace(/\n/g, '<br/>');
+}
 function getStageId(name, count) {
     var re = new RegExp(' ', 'g');
     return name.replace(re, '_') + "_" + count;
diff --git a/src/test/javascript/pipe-test.js b/src/test/javascript/pipe-test.js
index d72f722bc..d44def8b6 100644
--- a/src/test/javascript/pipe-test.js
+++ b/src/test/javascript/pipe-test.js
@@ -23,3 +23,29 @@ describe("getStageClassName", function() {
         expect(getStageClassName("QA 1")).toEqual("stage_QA_1");
     });
 });
+
+describe("htmlEncode", function() {
+    it("correctly returns html safe strings", function() {
+        expect(htmlEncode("Line1\nLine2")).toEqual("Line1<br/>Line2");
+        expect(htmlEncode("<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>")).toEqual("&lt;project.reporting.outputEncoding&gt;UTF-8&lt;/project.reporting.outputEncoding&gt;");
+    });
+});
+
+describe("generateChangeLog", function() {
+    it("Linebreak in changelog comment", function() {
+        var data = JSON.parse('{"changes":[{"author":{"name":"Firstname Lastname","avatarUrl":null,"url":"user/user"},"changeLink":null,"commitId":"2718","message":"Firstline\\nSecondLine"}]}');
+        expect(generateChangeLog(data.changes)).toEqual('<div class="changes"><h1>Changes:</h1><div class="change"><div class="change-author">Firstname Lastname</div><div class="change-message">Firstline<br/>SecondLine</div></div></div>');
+    });
+    it("XML in changelog comment", function() {
+        var data = JSON.parse('{"changes":[{"author":{"name":"Firstname Lastname","avatarUrl":null,"url":"user/user"},"changeLink":null,"commitId":"2718","message":"<xml>data</xml>"}]}');
+        expect(generateChangeLog(data.changes)).toEqual('<div class="changes"><h1>Changes:</h1><div class="change"><div class="change-author">Firstname Lastname</div><div class="change-message">&lt;xml&gt;data&lt;/xml&gt;</div></div></div>');
+    });
+    it("Swedish characters in changelog comment", function() {
+        var data = JSON.parse('{"changes":[{"author":{"name":"Firstname Lastname","avatarUrl":null,"url":"user/user"},"changeLink":null,"commitId":"2718","message":"Räksmörgås"}]}');
+        expect(generateChangeLog(data.changes)).toEqual('<div class="changes"><h1>Changes:</h1><div class="change"><div class="change-author">Firstname Lastname</div><div class="change-message">Räksmörgås</div></div></div>');
+    });
+    it("Multiple changelogs", function() {
+        var data = JSON.parse('{"changes":[{"author":{"name":"Firstname Lastname","avatarUrl":null,"url":"user/user"},"changeLink":null,"commitId":"2718","message":"First change"}, {"author":{"name":"Firstname Lastname","avatarUrl":null,"url":"user/user"},"changeLink":null,"commitId":"2718","message":"Second change"}]}');
+        expect(generateChangeLog(data.changes)).toEqual('<div class="changes"><h1>Changes:</h1><div class="change"><div class="change-author">Firstname Lastname</div><div class="change-message">First change</div></div><div class="change"><div class="change-author">Firstname Lastname</div><div class="change-message">Second change</div></div></div>');
+    });
+});