From 0b471b7b693eb370c52c82382257419a07171f93 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Wed, 21 Dec 2016 18:01:46 -0500 Subject: [PATCH] [SECURITY-353] Fixed markup formatter for StringParameterDefinition/Value. --- .../main/java/hudson/model/ParameterValue.java | 18 ++++++++++++++++++ .../StringParameterDefinition/index.jelly | 3 ++- .../model/StringParameterValue/value.jelly | 3 ++- .../test/java/hudson/model/ParametersTest.java | 2 -- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/hudson/model/ParameterValue.java b/core/src/main/java/hudson/model/ParameterValue.java index d3b39f614a..fbea3895fd 100644 --- a/core/src/main/java/hudson/model/ParameterValue.java +++ b/core/src/main/java/hudson/model/ParameterValue.java @@ -31,11 +31,16 @@ import hudson.scm.SCM; import hudson.tasks.BuildWrapper; import hudson.tasks.Builder; import hudson.util.VariableResolver; +import java.io.IOException; import java.io.Serializable; import java.util.Map; +import java.util.logging.Logger; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; +import org.kohsuke.accmod.Restricted; +import org.kohsuke.accmod.restrictions.DoNotUse; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.export.Exported; @@ -70,6 +75,9 @@ import org.kohsuke.stapler.export.ExportedBean; */ @ExportedBean(defaultVisibility=3) public abstract class ParameterValue implements Serializable { + + private static final Logger LOGGER = Logger.getLogger(ParameterValue.class.getName()); + protected final String name; private String description; @@ -91,6 +99,16 @@ public abstract class ParameterValue implements Serializable { this.description = description; } + @Restricted(DoNotUse.class) // for value.jelly + public String getFormattedDescription() { + try { + return Jenkins.getInstance().getMarkupFormatter().translate(description); + } catch (IOException e) { + LOGGER.warning("failed to translate description using configured markup formatter"); + return ""; + } + } + /** * Name of the parameter. * diff --git a/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly b/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly index 2f99f33da9..2c6a20bfbb 100644 --- a/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly +++ b/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly @@ -26,7 +26,8 @@ THE SOFTWARE. - + +
diff --git a/core/src/main/resources/hudson/model/StringParameterValue/value.jelly b/core/src/main/resources/hudson/model/StringParameterValue/value.jelly index 961a583d29..e3de9ff09a 100644 --- a/core/src/main/resources/hudson/model/StringParameterValue/value.jelly +++ b/core/src/main/resources/hudson/model/StringParameterValue/value.jelly @@ -26,7 +26,8 @@ THE SOFTWARE. - + + \ No newline at end of file diff --git a/test/src/test/java/hudson/model/ParametersTest.java b/test/src/test/java/hudson/model/ParametersTest.java index 46a89eeb26..fe885e164c 100644 --- a/test/src/test/java/hudson/model/ParametersTest.java +++ b/test/src/test/java/hudson/model/ParametersTest.java @@ -17,7 +17,6 @@ import java.util.regex.Pattern; import org.apache.http.HttpStatus; import static org.hamcrest.Matchers.*; import static org.junit.Assert.*; -import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.rules.ErrorCollector; @@ -226,7 +225,6 @@ public class ParametersTest { HtmlFormUtil.submit(form, HtmlFormUtil.getButtonByCaption(form, "Build")); } - @Ignore("TODO build page should mark up param description; parameters page should mark up param description") @Issue("SECURITY-353") @Test public void xss() throws Exception { -- GitLab