Bug fixes and improvements for Content-Security-Policy compatibility

pom.xml

@@ -57,6 +57,7 @@
               <xmlOutput>true</xmlOutput>
               <findbugsXmlWithMessages>true</findbugsXmlWithMessages>
               <failOnError>${findbugs.failOnError}</failOnError>
+              <omitVisitors>UnreadFields</omitVisitors>
             </configuration>
             <executions>
               <execution>

src/main/java/htmlpublisher/HtmlPublisherTarget.java

@@ -159,6 +159,8 @@ private File getBuildArchiveDir(Run run) {
     protected abstract class BaseHTMLAction implements Action {
         private HtmlPublisherTarget actualHtmlPublisherTarget;
 
+        protected transient AbstractItem project;
+
         public BaseHTMLAction(HtmlPublisherTarget actualHtmlPublisherTarget) {
             this.actualHtmlPublisherTarget = actualHtmlPublisherTarget;
         }
@@ -197,7 +199,6 @@ public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOExceptio
     }
 
     public class HTMLAction extends BaseHTMLAction implements ProminentProjectAction {
-        private final AbstractItem project;
 
         private transient HTMLBuildAction actualBuildAction;
 
@@ -326,11 +327,13 @@ protected File dir() {
         @Override
         public void onAttached(Run<?, ?> r) {
             build = r;
+            this.project = r.getParent();
         }
 
         @Override
         public void onLoad(Run<?, ?> r) {
             build = r;
+            this.project = r.getParent();
         }
 
         public String getWrapperChecksum() {

src/main/resources/htmlpublisher/HtmlPublisherTarget/BaseHTMLAction/index.groovy

@@ -1,35 +1,69 @@
 package htmlpublisher.HtmlPublisherTarget.BaseHTMLAction
 
+import htmlpublisher.HtmlPublisher
 import htmlpublisher.HtmlPublisherTarget
 import hudson.Util
 
 import java.security.MessageDigest
 
+l = namespace(lib.LayoutTagLib)
+st = namespace("jelly:stapler")
+
 def text = new File(my.dir(), my.getHTMLTarget().getWrapperName()).text
 
 def actual = Util.toHexString(MessageDigest.getInstance("SHA-1").digest(text.getBytes("UTF-8")))
 
 def expected = null
 
+def serveWrapper() {
+    // don't actually serve the wrapper file, but use it as data source for the tab links only
+    // this minimized the potential for mischief in the case of legacy archives without checksum
+    st.contentType(value: "text/html;charset=UTF-8")
+
+    def header = HtmlPublisher.class.getResourceAsStream("/htmlpublisher/HtmlPublisher/header.html").text
+    def footer = HtmlPublisher.class.getResourceAsStream("/htmlpublisher/HtmlPublisher/footer.html").text
+
+    raw(header)
+
+    def legacyFile = new File(my.dir(), "htmlpublisher-wrapper.html")
+    def matcher = legacyFile.text =~ /<li id="tab\d+" class="unselected" onclick="updateBody\('tab\d+'\);" value="([^"]+)">([^<]+)<\/li>/
+
+    def items = []
+    while (matcher.find()) {
+        items.add(matcher.group(1))
+    }
+
+    def idx = 1
+    items.each { file ->
+        def reportName = file.contains(".") ? file.substring(0, file.indexOf(".")) : file
+        li(reportName, id: "tab${idx}", class: "unselected", onclick: "updateBody('tab${idx}')", value: file.trim())
+        idx++
+    }
+
+    // TODO replace unnecessary JS usage by properly integrating header.html/footer.html in this groovy view
+    raw("<script type=\"text/javascript\">document.getElementById(\"hudson_link\").innerHTML=\"Back to ${my.project.displayName}\";</script>")
+    raw("<script type=\"text/javascript\">document.getElementById(\"hudson_link\").href=\"${rootURL}/${my.project.url}\";</script>")
+    raw("<script type=\"text/javascript\">document.getElementById(\"zip_link\").href=\"*zip*/${my.getHTMLTarget().sanitizedName}.zip\";</script>")
+
+    raw(footer)
+}
+
 if (my instanceof HtmlPublisherTarget.HTMLBuildAction) {
     // this is a build action, so needs to have its checksum checked
     expected = my.wrapperChecksum
 } else if (my instanceof HtmlPublisherTarget.HTMLAction && my.actualBuildAction) {
     // this is a project action serving a build-level report
     expected = my.actualBuildAction.wrapperChecksum
-} // else this is a project action serving a project-level report
+} // else this is a project action serving a project-level report, which is considered safe
 
 if (expected == null) {
     // no checksum expected
-    raw(new File(my.dir(), "htmlpublisher-wrapper.html").text)
+    serveWrapper()
 } else {
     if (expected == actual) {
         // checksum expected and matches
-        raw(new File(my.dir(), "htmlpublisher-wrapper.html").text)
+        serveWrapper()
     } else {
-        def l = namespace(lib.LayoutTagLib)
-        def f = namespace(lib.FormTagLib)
-
         l.layout {
             l.header(title:"Checksum mismatch")
             l.main_panel {