From 78cc60556304965ffb2dd8c017bf61d4f153f5ea Mon Sep 17 00:00:00 2001
From: rsandell <rsandell@cloudbees.com>
Date: Fri, 17 Dec 2021 11:55:20 +0100
Subject: [PATCH] [SECURITY-2017]

---
 src/main/java/hudson/matrix/LabelAxis.java    | 32 ++++++++++++++-----
 .../hudson/matrix/LabelAxis/config.jelly      |  2 +-
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/src/main/java/hudson/matrix/LabelAxis.java b/src/main/java/hudson/matrix/LabelAxis.java
index a1a49f34..85593d15 100644
--- a/src/main/java/hudson/matrix/LabelAxis.java
+++ b/src/main/java/hudson/matrix/LabelAxis.java
@@ -27,10 +27,15 @@
 import hudson.Functions;
 import jenkins.model.Jenkins;
 import hudson.model.labels.LabelAtom;
+import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 
+import java.util.ArrayList;
 import java.util.List;
 
+import static hudson.Functions.htmlAttributeEscape;
+import static hudson.Functions.jsStringEscape;
+
 /**
  * {@link Axis} that selects label expressions.
  *
@@ -52,6 +57,18 @@ public String getValueString() {
         return String.join("/", getValues());
     }
 
+    public String getValueStringHtmlEscaped() {
+        final List<String> values = getValues();
+        StringBuilder str = new StringBuilder();
+        for (String value : values) {
+            if (str.length() > 0) {
+                str.append('/');
+            }
+            str.append(htmlAttributeEscape(value));
+        }
+        return str.toString();
+    }
+
     @Extension
     public static class DescriptorImpl extends AxisDescriptor {
         @Override
@@ -69,16 +86,15 @@ public boolean isInstantiable() {
             return !j.getNodes().isEmpty() || !j.clouds.isEmpty();
         }
 
-        private String jsstr(String body, Object... args) {
-            return '\"'+Functions.jsStringEscape(String.format(body,args))+'\"';
-        }
 
         public String buildLabelCheckBox(LabelAtom la, LabelAxis instance) {
-            return jsstr("<input type='checkbox' name='values' json='%s' ",
-                        Functions.htmlAttributeEscape(la.getName()))
-                   +String.format("+has(%s)+",jsstr(la.getName()))
-                   +jsstr("/><label class='attach-previous'>%s (%s)</label>",
-                        la.getName(),la.getDescription());
+            final String escapedName = jsStringEscape(htmlAttributeEscape(la.getName()));
+            final String escapedDescription = jsStringEscape(StringUtils.isEmpty(la.getDescription()) ? "" :
+                    htmlAttributeEscape(la.getDescription()));
+            return new StringBuilder("\"").append(jsStringEscape("<input type='checkbox' name='values' json='")).append(escapedName).append(jsStringEscape("' "))
+                    .append("\"").append(String.format("+has(\"%s\")+", escapedName)).append("\"")
+                    .append(jsStringEscape("/><label class='attach-previous'>")).append(escapedName).append(" (").append(escapedDescription).append(")</label>\"")
+                    .toString();
             // '${h.jsStringEscape('<input type="checkbox" name="values" json="'+h.htmlAttributeEscape(l.name)+'" ')}'+has("${h.jsStringEscape(l.name)}")+'${h.jsStringEscape('/><label class="attach-previous">'+l.name+' ('+l.description+')</label>')}'
         }
     }
diff --git a/src/main/resources/hudson/matrix/LabelAxis/config.jelly b/src/main/resources/hudson/matrix/LabelAxis/config.jelly
index 28804d7f..5466e63b 100644
--- a/src/main/resources/hudson/matrix/LabelAxis/config.jelly
+++ b/src/main/resources/hudson/matrix/LabelAxis/config.jelly
@@ -27,7 +27,7 @@ THE SOFTWARE.
     <f:textbox default="label" />
   </f:entry>
   <f:entry title="${%Node/Label}" field="labels">
-    <div class="yahooTree labelAxis-tree" style="border: 1px solid gray; height: 10em; overflow:auto;" values="${instance.valueString}" />
+    <div class="yahooTree labelAxis-tree" style="border: 1px solid gray; height: 10em; overflow:auto;" values="${instance.valueStringHtmlEscaped}" />
     <script>
       Behaviour.specify("DIV.labelAxis-tree", 'LabelAxis', 0, function(e) {
         var tree = new YAHOO.widget.TreeView(e);