Skip to content
Permalink
Browse files
[FIXED JENKINS-20800] HTML metacharacters not escaped in log messages.
  • Loading branch information
jglick committed Nov 28, 2013
1 parent 8fa4ef0 commit a900b488b527a25009e3536bc94e945f5fbfe4ad
Showing with 15 additions and 7 deletions.
  1. +3 −1 changelog.html
  2. +2 −6 core/src/main/java/hudson/Functions.java
  3. +10 −0 core/src/test/java/hudson/FunctionsTest.java
@@ -55,7 +55,9 @@
<!-- Record your changes in the trunk here. -->
<div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
<ul class=image>
<li class=>
<li class=bug>
HTML metacharacters not escaped in log messages.
(<a href="https://issues.jenkins-ci.org/browse/JENKINS-20800">issue 20800</a>)
</ul>
</div><!--=TRUNK-END=-->

@@ -135,7 +135,6 @@

import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import org.apache.commons.jelly.JellyContext;
import org.apache.commons.jelly.JellyException;
import org.apache.commons.jelly.JellyTagException;
import org.apache.commons.jelly.Script;
import org.apache.commons.jelly.XMLOutput;
@@ -144,19 +143,15 @@
import org.apache.commons.lang.StringUtils;
import org.jvnet.tiger_types.Types;
import org.kohsuke.stapler.Ancestor;
import org.kohsuke.stapler.MetaClass;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.WebApp;
import org.kohsuke.stapler.jelly.InternationalizedStringExpression.RawHtmlArgument;
import org.kohsuke.stapler.jelly.JellyClassTearOff;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import java.util.concurrent.atomic.AtomicLong;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;

/**
@@ -450,13 +445,14 @@ public static String printLogRecord(LogRecord r) {
return formatter.format(r);
}

@Restricted(DoNotUse.class)
@Restricted(NoExternalUse.class)
public static String[] printLogRecordHtml(LogRecord r, LogRecord prior) {
String[] oldParts = prior == null ? new String[4] : logRecordPreformat(prior);
String[] newParts = logRecordPreformat(r);
for (int i = 0; i < /* not 4 */3; i++) {
newParts[i] = "<span class='" + (newParts[i].equals(oldParts[i]) ? "logrecord-metadata-old" : "logrecord-metadata-new") + "'>" + newParts[i] + "</span>";
}
newParts[3] = Util.xmlEscape(newParts[3]);
return newParts;
}
/**
@@ -37,6 +37,8 @@
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.LogRecord;

import jenkins.model.Jenkins;

@@ -293,4 +295,12 @@ public void testBreakableString() {
assertEquals("H<wbr>,e<wbr>.l<wbr>/l<wbr>:o<wbr>-w<wbr>_o<wbr>=+|d", Functions.breakableString("H,e.l/l:o-w_o=+|d"));
assertEquals("ALongStrin<wbr>gThatCanNo<wbr>tBeBrokenB<wbr>yDefault", Functions.breakableString("ALongStringThatCanNotBeBrokenByDefault"));
}

@Bug(20800)
@Test public void printLogRecordHtml() throws Exception {
LogRecord lr = new LogRecord(Level.INFO, "Bad input <xml/>");
lr.setLoggerName("test");
assertEquals("Bad input &lt;xml/>\n", Functions.printLogRecordHtml(lr, null)[3]);
}

}

0 comments on commit a900b48

Please sign in to comment.