Skip to content

Commit

Permalink
Merge pull request #201 from mawinter69/JENKINS-68870
Browse files Browse the repository at this point in the history 
[JENKINS-68870] properly escape tooltip texts
  • Loading branch information
@mawinter69
mawinter69 authored Jul 3, 2022
2 parents 18a75e1 + 1ccebbe commit 8596733
Show file tree
Hide file tree
Showing 9 changed files with 42 additions and 18 deletions.
4 changes: 2 additions & 2 deletions .../com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/assign-agent-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,12 +117,12 @@
copy = master.cloneNode(true); <!-- for IE -->
copy.removeAttribute("id");
copy.removeAttribute("style");
copy.childNodes[1].innerHTML = name;
copy.childNodes[1].innerHTML = escapeHTML(name);
copy.setAttribute("name",'['+name+']');

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML= item.outerHTML.replace("{{USER}}", name);
item.outerHTML= item.outerHTML.replace("{{USER}}", doubleEscapeHTML(name));
});

<j:if test="${nbAssignedAgentRoles lt 19}">
Expand Down
4 changes: 2 additions & 2 deletions ...com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/assign-global-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,12 +115,12 @@
copy = master.cloneNode(true); <!-- for IE -->
copy.removeAttribute("id");
copy.removeAttribute("style");
copy.childNodes[1].innerHTML = name;
copy.childNodes[1].innerHTML = escapeHTML(name);
copy.setAttribute("name",'['+name+']');

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML= item.outerHTML.replace("{{USER}}", name);
item.outerHTML= item.outerHTML.replace("{{USER}}", doubleEscapeHTML(name));
});

<j:if test="${nbAssignedGlobalRoles lt 19}">
Expand Down
4 changes: 2 additions & 2 deletions ...om/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/assign-project-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,11 @@

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML= item.outerHTML.replace("{{USER}}", name);
item.outerHTML= item.outerHTML.replace("{{USER}}", doubleEscapeHTML(name));
});


copy.childNodes[1].innerHTML = name;
copy.childNodes[1].innerHTML = escapeHTML(name);
copy.setAttribute("name",'['+name+']');
<j:if test="${nbAssignedProjectsRoles lt 19}">
table.appendChild(copy);
Expand Down
2 changes: 1 addition & 1 deletion ...ources/com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/assign-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
</td>
<td class="left-most">${title}</td>
<j:forEach var="r" items="${it.strategy.getGrantedRoles(attrs.type)}">
<td width="*" tooltip="&lt;b&gt;Role&lt;/b&gt; : ${r.key.name} &lt;br/&gt; &lt;b&gt;User&lt;/b&gt; : ${attrs.title}">
<td width="*" tooltip="&lt;b&gt;Role&lt;/b&gt; : ${h.escape(r.key.name)} &lt;br/&gt; &lt;b&gt;User&lt;/b&gt; : ${h.escape(attrs.title)}">
<f:checkbox name="[${r.key.name}]" checked="${r.value.contains(attrs.sid)}"/>
</td>
</j:forEach>
Expand Down
6 changes: 3 additions & 3 deletions .../com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/manage-agent-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,8 +169,8 @@

var child = copy.childNodes[1];
var doubleQuote = '"';
child.innerHTML = name;
child.next().innerHTML = doubleQuote + pattern + doubleQuote;
child.innerHTML = escapeHTML(name);
child.next().innerHTML = doubleQuote + escapeHTML(pattern) + doubleQuote;

var hidden = document.createElement('input');
hidden.setAttribute('name', '[pattern]');
Expand All @@ -182,7 +182,7 @@

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML = item.outerHTML.replace("{{ROLE}}", name).replace("{{PATTERN}}", pattern);
item.outerHTML = item.outerHTML.replace("{{ROLE}}", doubleEscapeHTML(name)).replace("{{PATTERN}}", doubleEscapeHTML(pattern));
});

<j:if test="${nbAgentRoles lt 20}">
Expand Down
4 changes: 2 additions & 2 deletions ...com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/manage-global-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,11 +150,11 @@
copy = master.cloneNode(true); <!-- for IE -->
copy.removeAttribute("id");
copy.removeAttribute("style");
copy.childNodes[1].innerHTML = name;
copy.childNodes[1].innerHTML = escapeHTML(name);

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML= item.outerHTML.replace("{{ROLE}}", name);
item.outerHTML= item.outerHTML.replace("{{ROLE}}", doubleEscapeHTML(name));
});

copy.setAttribute("name",'['+name+']');
Expand Down
6 changes: 3 additions & 3 deletions ...om/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/manage-project-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,8 @@

var child = copy.childNodes[1];
var doubleQuote = '"';
child.innerHTML = name;
var patternString = doubleQuote + pattern + doubleQuote;
child.innerHTML = escapeHTML(name);
var patternString = doubleQuote + escapeHTML(pattern) + doubleQuote;
child.next().innerHTML = '<a href="#" class="patternAnchor">' + patternString + '</a>';
bindListenerToPattern(child.next().children[0]);

Expand All @@ -176,7 +176,7 @@

var children = copy.childNodes;
children.forEach(function(item){
item.outerHTML = item.outerHTML.replace("{{ROLE}}", name).replace("{{PATTERN}}", pattern);
item.outerHTML = item.outerHTML.replace("{{ROLE}}", doubleEscapeHTML(name)).replace("{{PATTERN}}", doubleEscapeHTML(pattern));
});

copy.setAttribute("name",'['+name+']');
Expand Down
7 changes: 5 additions & 2 deletions ...ources/com/michelin/cio/hudson/plugins/rolestrategy/RoleStrategyConfig/manage-roles.jelly
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,12 @@
<j:set var="pattern" value=""/>
<j:if test="${!attrs.global}">
<j:set var="pattern" value="&lt;br/&gt; &lt;b&gt;Pattern&lt;/b&gt; : ${attrs.pattern}"/>
<j:if test="${attrs.pattern != '{{PATTERN}}'}">
<j:set var="pattern" value="&lt;br/&gt; &lt;b&gt;Pattern&lt;/b&gt; : ${h.escape(attrs.role.pattern.toString())}"/>
</j:if>
<td width="*" class="in-place-edit">
<j:if test="${attrs.project}">
<a href="#" class="patternAnchor">&quot;${h.escape(attrs.role.pattern.toString())}&quot;</a>
<a href="#" class="patternAnchor">&quot;${attrs.role.pattern.toString()}&quot;</a>
</j:if>
<j:if test="${!attrs.project}">
&quot;${h.escape(attrs.role.pattern.toString())}&quot;
Expand All @@ -74,7 +77,7 @@
<j:forEach var="g" items="${tableItems}">
<j:forEach var="p" items="${g.permissions}">
<j:if test="${it.strategy.descriptor.showPermission(attrs.type, p)}">
<td width="*" tooltip="&lt;b&gt;Permission&lt;/b&gt; : ${g.title}/${p.name} &lt;br/&gt; &lt;b&gt;Role&lt;/b&gt; : ${attrs.title} ${pattern}">
<td width="*" tooltip="&lt;b&gt;Permission&lt;/b&gt; : ${g.title}/${p.name} &lt;br/&gt; &lt;b&gt;Role&lt;/b&gt; : ${h.escape(attrs.title)} ${pattern}">
<f:checkbox name="[${p.id}]" checked="${attrs.role.hasPermission(p)}"/>
</td>
</j:if>
Expand Down
23 changes: 22 additions & 1 deletion src/main/webapp/js/table.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,25 @@ TableHighlighter.prototype = {
tr.toggleClassName('highlighted');
}

};
};

var doubleEscapeHTML = function(unsafe) {
return escapeHTML(escapeHTML(unsafe));
};

var escapeHTML = function(unsafe) {
return unsafe.replace(/[&<>"']/g, function(m) {
switch (m) {
case '&':
return '&amp;';
case '<':
return '&lt;';
case '>':
return '&gt;';
case '"':
return '&quot;';
default:
return '&#039;';
}
});
};

0 comments on commit 8596733

Please sign in to comment.