Skip to content

Commit

Permalink
remove inline javascript
Browse files Browse the repository at this point in the history
remove the inline javascript from the redirect page and the index of the
action.
use relative urls in the redirect instead of absoluturl which is
considered dangerous (this probably fixes JENKINS-64825)
  • Loading branch information
mawinter69 committed Feb 5, 2024
1 parent 4c3a721 commit d18e6b2
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 59 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ public Date getDefaultDateObject() {
}

@RequirePOST
public FormValidation doCheckDate(@QueryParameter String date, @AncestorInPath Item item) {
public FormValidation doCheckDate(@QueryParameter String value, @AncestorInPath Item item) {
if (item == null) {
return FormValidation.ok();
}
Expand All @@ -125,7 +125,7 @@ public FormValidation doCheckDate(@QueryParameter String date, @AncestorInPath I
Date ddate, now = new Date();
DateFormat dateFormat = dateFormat();
try {
ddate = dateFormat.parse(date);
ddate = dateFormat.parse(value);

Check warning on line 128 in src/main/java/org/jenkinsci/plugins/schedulebuild/ScheduleBuildAction.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered line

Line 128 is not covered by tests
now = dateFormat.parse(dateFormat.format(now));
} catch (ParseException ex) {
return FormValidation.error(Messages.ScheduleBuildAction_ParsingError());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@
<h1>${%Project} ${it.owner.name}</h1>
<f:form name="schedule" action="next" method="post">
<f:entry title="${%BuildOn} (mm/dd/yy):" field="date">
<f:textbox value="${it.defaultDate}" checkUrl="'${rootURL}/${it.owner.url}schedule/checkDate?date=' + encodeURIComponent(this.value)" onKeyUp="this.onchange();"/>
<f:textbox id="schedule-build-input" value="${it.defaultDate}" checkUrl="${rootURL}/${it.owner.url}schedule/checkDate" checkDependsOn=""/>
</f:entry>
<f:entry>
<f:submit value="${%Schedule}"/>
<f:submit value="${%Schedule}" id="schedule-build-button"/>
</f:entry>
</f:form>
<script src="${rootURL}/plugin/schedule-build/scheduleBuild.js"/>
</l:main-panel>
</l:layout>
</j:jelly>
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@
<!--
Auto submits the form to the jenkins server
-->
<p>
Submitting your changes to the server...
<p id="schedule-build-data" data-url="${rootURL}/${it.owner.url}"
data-quiet-period-seconds="${it.quietPeriodInSeconds}"
data-parameterized="${it.owner.parameterized}">
<l:spinner text="Submitting your changes to the server..." />
</p>
<script src="${rootURL}/plugin/schedule-build/scheduleRequest.js"/>
<script>
sumbitScheduleRequest("${it.owner.absoluteUrl}", ${it.quietPeriodInSeconds}, ${it.jobParameterized});
</script>
<script src="${rootURL}/plugin/schedule-build/scheduleRequest.js"/>
</l:main-panel>
</l:layout>
</j:jelly>
5 changes: 5 additions & 0 deletions src/main/webapp/scheduleBuild.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Behaviour.specify("#schedule-build-input", "schedule-build-input", 0, function(input) {
input.onkeyup = function(event) {
input.onchange();
}
});
62 changes: 13 additions & 49 deletions src/main/webapp/scheduleRequest.js
Original file line number Diff line number Diff line change
@@ -1,50 +1,14 @@
var newRequest = function() {
if (window.XMLHttpRequest) {
return new XMLHttpRequest();
} else {
return new ActiveXObject("Microsoft.XMLHTTP");
}
}

var sumbitScheduleRequest = function(absoluteUrl, quietPeriodInSeconds, isJobParameterized){

if(isJobParameterized){
// if job has parameters, redirect to build page, so user can set parameters
window.location = absoluteUrl + "build?delay=" + quietPeriodInSeconds + "sec";
}else{
// if job has NO parameters, submit build directly
var csrfCrumb;
var csrfRequest = newRequest();
csrfRequest.onreadystatechange = function() {
if (csrfRequest.readyState === 4) {
if (csrfRequest.status === 200 || csrfRequest.status === 201) {
csrfCrumb = JSON.parse(csrfRequest.responseText);
} else {
// csrf might be deactivated
}

// do the actual submit
var xmlhttp = newRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState === 4) {
if (xmlhttp.status === 200 || xmlhttp.status === 201) {
window.location = absoluteUrl;
return false;
} else {
window.location = absoluteUrl;
return false;
}
}
};
xmlhttp.open("POST", absoluteUrl + "build?delay=" + quietPeriodInSeconds + "sec", true);
if (csrfCrumb) {
xmlhttp.setRequestHeader(csrfCrumb.crumbRequestField, csrfCrumb.crumb)
}
xmlhttp.send();
}
};

csrfRequest.open('GET', rootURL + '/crumbIssuer/api/json', false);
csrfRequest.send();
}
let d = document.getElementById("schedule-build-data");
let url = d.dataset.url;
let quietPeriodInSeconds = d.dataset.quietPeriodSeconds;
let scheduleUrl = url + "build?delay=" + quietPeriodInSeconds + "sec";

if (d.dataset.parameterized === "true") {
window.location = d.dataset.url + "build?delay=" + quietPeriodInSeconds + "sec";
} else {
fetch(scheduleUrl, {
method: "post",
headers: crumb.wrap({}),
});
window.location = url;
}

0 comments on commit d18e6b2

Please sign in to comment.