Skip to content
Permalink
Browse files

Merge pull request #31 from ikedam/feature/JENKINS-42903_SanitizeHtml

[JENKINS-42903] Sanitize names and descriptions
  • Loading branch information
ikedam committed Aug 27, 2017
2 parents 4a44765 + c781e20 commit cbd310dea0974c4b6723a9d73b362cadb0f0fece
@@ -53,6 +53,12 @@
<version>1.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>antisamy-markup-formatter</artifactId>
<version>1.1</version>
<scope>test</scope>
</dependency>
</dependencies>

<build>
@@ -30,7 +30,7 @@ THE SOFTWARE.
<f:textbox />
</f:entry>
<f:entry title="${%Description}" field="description" help="/help/parameter/description.html">
<f:textarea />
<f:textarea previewEndpoint="/markupFormatter/previewDescription" />
</f:entry>
<f:dropdownDescriptorSelector title="${%Choice Provider}" field="choiceListProvider" descriptors="${descriptor.enabledChoiceListProviderList}" />
<f:entry title="${%Editable}" field="editable">
@@ -28,7 +28,8 @@ THE SOFTWARE.
In this view, the fields are not managed in Descriable/Descriptor framework,
and results in not using /lib/form taglibs, but writing HTML input tags directory.
-->
<f:entry title="${it.name}" description="${it.description}">
<j:set var="escapeEntryTitleAndDescription" value="false" />
<f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
<div name="parameter" description="${it.description}">
<input type="hidden" name="name" value="${it.name}" />
<j:scope>
@@ -37,6 +37,7 @@
import hudson.EnvVars;
import hudson.Extension;
import hudson.Util;
import hudson.markup.RawHtmlMarkupFormatter;
import hudson.model.FreeStyleBuild;
import hudson.model.Descriptor;
import hudson.model.FreeStyleProject;
@@ -48,10 +49,12 @@
import net.sf.json.JSONObject;

import org.apache.commons.lang.StringUtils;
import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.JenkinsRule.WebClient;
import org.jvnet.hudson.test.CaptureEnvironmentBuilder;
import org.jvnet.hudson.test.Issue;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.StaplerRequest;

@@ -1141,4 +1144,43 @@ public void testDisableChoiceListIntegration() throws Exception
assertNotSame(MockChoiceListProvider.class, ((ExtensibleChoiceParameterDefinition)p.getProperty(ParametersDefinitionProperty.class).getParameterDefinition("Choice")).getChoiceListProvider().getClass());

}
}

@Issue("JENKINS-42903")
@Test
public void testSafeTitle() throws Exception {
FreeStyleProject p = j.createFreeStyleProject();
ExtensibleChoiceParameterDefinition def = new ExtensibleChoiceParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
new MockChoiceListProvider(Arrays.asList("value1", "value2"), null),
false,
""
);
p.addProperty(new ParametersDefinitionProperty(def));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42903")
@Test
public void testSafeDescription() throws Exception {
j.jenkins.setMarkupFormatter(new RawHtmlMarkupFormatter(false));

FreeStyleProject p = j.createFreeStyleProject();
ExtensibleChoiceParameterDefinition def = new ExtensibleChoiceParameterDefinition(
"Choice",
new MockChoiceListProvider(Arrays.asList("value1", "value2"), null),
false,
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
);
p.addProperty(new ParametersDefinitionProperty(def));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}}

0 comments on commit cbd310d

Please sign in to comment.
You can’t perform that action at this time.