Merge branch 'security-stable-2.222' into security-stable-2.235

96a7c68a · Wadeck Follonier · 58f83eb3 · 89ec2901 · 96a7c68a · 96a7c68a
2 changed file
--- a/core/src/main/java/hudson/console/HyperlinkNote.java
+++ b/core/src/main/java/hudson/console/HyperlinkNote.java
@@ -25,6 +25,7 @@ package hudson.console;

 import hudson.Extension;
 import hudson.MarkupText;
+import hudson.Util;
 import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
@@ -69,7 +70,7 @@ public class HyperlinkNote extends ConsoleNote {
                url = Jenkins.get().getRootUrl()+url.substring(1);
            }
        }
-        text.addMarkup(charPos, charPos + length, "<a href='" + url + "'"+extraAttributes()+">", "</a>");
+        text.addMarkup(charPos, charPos + length, "<a href='" + Util.escape(url) + "'"+extraAttributes()+">", "</a>");
        return null;
    }


--- a/test/src/test/java/hudson/console/HyperlinkNoteTest.java
+++ b/test/src/test/java/hudson/console/HyperlinkNoteTest.java
@@ -24,11 +24,16 @@

 package hudson.console;

+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
 import java.io.IOException;
 import java.io.StringReader;
 import java.io.StringWriter;
 import java.nio.charset.StandardCharsets;
+
+import hudson.model.Result;
+import hudson.tasks.BuildTrigger;
 import org.apache.commons.io.IOUtils;
 import org.junit.Rule;
 import org.junit.Test;
@@ -73,6 +78,19 @@ public class HyperlinkNoteTest {
                containsString(">" + noteTextSanitized + "</a>")));
    }

+    @Test
+    public void textWithSingleQuote() throws Exception {
+        FreeStyleProject upstream = r.createFreeStyleProject("upstream");
+        r.createFreeStyleProject("d0wnstr3'am");
+        upstream.getPublishersList().add(new BuildTrigger("d0wnstr3'am", Result.SUCCESS));
+        r.jenkins.rebuildDependencyGraph();
+        FreeStyleBuild b = r.buildAndAssertSuccess(upstream);
+        r.waitUntilNoActivity();
+        HtmlPage rsp = r.createWebClient().goTo(b.getUrl()+"console");
+        assertThat(rsp.querySelector(".console-output").asText(), containsString("Triggering a new build of"));
+        assertThat(String.valueOf(rsp.getAnchorByText("d0wnstr3'am").click().getWebResponse().getStatusCode()), containsString("200"));
+    }
+
    private static String annotate(String text) throws IOException {
        StringWriter writer = new StringWriter();
        try (ConsoleAnnotationOutputStream out = new ConsoleAnnotationOutputStream(writer, null, null, StandardCharsets.UTF_8)) {