[SECURITY-1886] Fix more occurrences of this vulnerability (#52)

* Escape an overview url and template evalluation

src/main/webapp/scripts/global-build-stats/BuildStatConfigForm.js

@@ -161,25 +161,25 @@ class BuildStatConfigForm {
 			var averageBuildTimeShown = document.getElementById(bsId+'_averageBuildTimeShown').checked;
 			var yAxisChartType = document.getElementById(bsId+'_yAxisChartType').value;
 
-			var overviewContent = '<img src="'+rootURL+'/plugin/global-build-stats/createChart?';
-			overviewContent += 'title='+title;
-			overviewContent += '&buildStatWidth='+width;
-			overviewContent += '&buildStatHeight='+height;
-			overviewContent += '&historicLength='+length;
-			overviewContent += '&historicScale='+scale;
-			overviewContent += '&jobFilter='+jobFilter;
-			overviewContent += '&nodeFilter='+nodeFilter;
-			overviewContent += '&launcherFilter='+launcherFilter;
-			overviewContent += '&successShown='+successShown;
-			overviewContent += '&failuresShown='+failuresShown;
-			overviewContent += '&unstablesShown='+unstablesShown;
-			overviewContent += '&abortedShown='+abortedShown;
-			overviewContent += '&notBuildsShown='+notBuildsShown;
-			overviewContent += '&yAxisChartType='+yAxisChartType;
-			overviewContent += '&buildStatusesShown='+buildStatusesShown;
-			overviewContent += '&totalBuildTimeShown='+totalBuildTimeShown;
-			overviewContent += '&averageBuildTimeShown='+averageBuildTimeShown;
-			overviewContent += '" />';
+			var overviewContent = '<img src="'+rootURL+'/plugin/global-build-stats/createChart?' + new URLSearchParams({
+				title: title,
+				buildStatWidth: width,
+				buildStatHeight: height,
+				historicLength: length,
+				historicScale: scale,
+				jobFilter: jobFilter,
+				nodeFilter: nodeFilter,
+				launcherFilter: launcherFilter,
+				successShown: successShown,
+				failuresShown: failuresShown,
+				unstablesShown: unstablesShown,
+				abortedShown: abortedShown,
+				notBuildsShown: notBuildsShown,
+				yAxisChartType: yAxisChartType,
+				buildStatusesShown: buildStatusesShown,
+				totalBuildTimeShown: totalBuildTimeShown,
+				averageBuildTimeShown: averageBuildTimeShown,
+			}) + '" />';
 
 			YAHOO.global.build.stat.overview.modalPopup =  
 		        new YAHOO.widget.Panel("buildStatOverview",   
@@ -267,7 +267,8 @@ class BuildStatConfigForm {
 			var regenerateIdBlock = "";
 		}
 
-		currentContext = jsonConcat(currentContext, { regenerateIdBlock: regenerateIdBlock});
+		currentContext = jsonConcat(currentContext, { regenerateIdBlock: regenerateIdBlock,
+			unsanitized: ['regenerateIdBlock']});
 
 		// Generating content for creation/update form
 		var formBlockTemplate = getTemplateContent('formBlockTemplate');

src/main/webapp/scripts/global-build-stats/BuildStatConfigs.js

@@ -53,7 +53,8 @@ class BuildStatConfigs {
 		imageTemplateStr += '<div id="map_#{id}_container"></div><br/>\n';
 		var image = evaluateTemplate(imageTemplateStr, currentContext);
 
-		currentContext = jsonConcat(currentContext, { buildStatImage: image});
+		currentContext = jsonConcat(currentContext, { buildStatImage: image,
+			unsanitized: ['buildStatImage']});
 
 		var buildStatConfigWithoutContainerTemplate = getTemplateContent('buildStatConfigWithoutContainerTemplate');
 		var buildStatConfigWithoutContainerHTML = evaluateTemplate(buildStatConfigWithoutContainerTemplate, currentContext);

src/main/webapp/scripts/global-build-stats/chartList.js

@@ -149,10 +149,26 @@ function evaluateTemplate(content, context){
 		/#\{(.*?)\}/g,
 		function(match, p1, offset, string){
 			if (p1 in context) {
-				return context[p1];
+				if (context.unsanitized?.includes(p1)){
+					return context[p1];
+				} else {
+					return escapeHTML(context[p1]);
+				}
 			} else {
 				return '';
 			}
 		}
 	);
 }
+
+function escapeHTML(str){
+	return str.toString().replace(/[&<>'"]/g,
+		tag => ({
+			'&': '&amp;',
+			'<': '&lt;',
+			'>': '&gt;',
+			"'": '&#x27;',
+			'"': '&quot;',
+		}[tag])
+	);
+}