Split RawHtmlMarkupFormatter into a bundled plugin (antisamy-markup-formatter).

https://trello.com/c/NvZt4WXu/15-rawhtmlmarkupformatter

changelog.html

@@ -55,7 +55,8 @@ Upcoming changes</a>
 <!-- Record your changes in the trunk here. -->
 <div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
 <ul class=image>
-  <li class=>
+  <li class=rfe>
+    Split the “raw HTML” markup formatter out of core into a bundled plugin.
 </ul>
 </div><!--=TRUNK-END=-->
 

core/pom.xml

@@ -553,12 +553,6 @@ THE SOFTWARE.
       <scope>provided</scope>
     </dependency>
 
-    <dependency>
-      <groupId>org.kohsuke</groupId>
-      <artifactId>owasp-html-sanitizer</artifactId>
-      <version>r88</version>
-    </dependency>
-
     <dependency>
         <groupId>org.mindrot</groupId>
         <artifactId>jbcrypt</artifactId>

core/src/main/java/hudson/ClassicPluginStrategy.java

@@ -273,7 +273,8 @@ public class ClassicPluginStrategy implements PluginStrategy {
         new DetachedPlugin("pam-auth","1.467.*","1.0"),
         new DetachedPlugin("mailer","1.493.*","1.2"),
         new DetachedPlugin("matrix-auth","1.535.*","1.0.2"),
-        new DetachedPlugin("windows-slaves","1.547.*","1.0")
+        new DetachedPlugin("windows-slaves","1.547.*","1.0"),
+        new DetachedPlugin("antisamy-markup-formatter","1.553.*","1.0")
     );
 
     /**

core/src/main/java/hudson/markup/EbayPolicy.java

-// Copyright (c) 2011, Mike Samuel
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions
-// are met:
-//
-// Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the distribution.
-// Neither the name of the OWASP nor the names of its contributors may
-// be used to endorse or promote products derived from this software
-// without specific prior written permission.
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-package hudson.markup;
-
-import com.google.common.base.Charsets;
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.base.Throwables;
-import com.google.common.io.CharStreams;
-import org.owasp.html.Handler;
-import org.owasp.html.HtmlPolicyBuilder;
-import org.owasp.html.HtmlSanitizer;
-import org.owasp.html.HtmlSanitizer.Policy;
-import org.owasp.html.HtmlStreamEventReceiver;
-import org.owasp.html.HtmlStreamRenderer;
-import org.owasp.html.PolicyFactory;
-
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.util.regex.Pattern;
-
-/**
- * Based on the
- * <a href="http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file">AntiSamy EBay example</a>.
- * <blockquote>
- * eBay (http://www.ebay.com/) is the most popular online auction site in the
- * universe, as far as I can tell. It is a public site so anyone is allowed to
- * post listings with rich HTML content. It's not surprising that given the
- * attractiveness of eBay as a target that it has been subject to a few complex
- * XSS attacks. Listings are allowed to contain much more rich content than,
- * say, Slashdot- so it's attack surface is considerably larger. The following
- * tags appear to be accepted by eBay (they don't publish rules):
- * {@code <a>},...
- * </blockquote>
- */
-public class EbayPolicy {
-
-  // Some common regular expression definitions.
-
-  // The 16 colors defined by the HTML Spec (also used by the CSS Spec)
-  private static final Pattern COLOR_NAME = Pattern.compile(
-      "(?:aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple"
-      + "|red|silver|teal|white|yellow)");
-
-  // HTML/CSS Spec allows 3 or 6 digit hex to specify color
-  private static final Pattern COLOR_CODE = Pattern.compile(
-      "(?:#(?:[0-9a-fA-F]{3}(?:[0-9a-fA-F]{3})?))");
-
-  private static final Pattern NUMBER_OR_PERCENT = Pattern.compile(
-      "[0-9]+%?");
-  private static final Pattern PARAGRAPH = Pattern.compile(
-      "(?:[\\p{L}\\p{N},'\\.\\s\\-_\\(\\)]|&[0-9]{2};)*");
-  private static final Pattern HTML_ID = Pattern.compile(
-      "[a-zA-Z0-9\\:\\-_\\.]+");
-  // force non-empty with a '+' at the end instead of '*'
-  private static final Pattern HTML_TITLE = Pattern.compile(
-      "[\\p{L}\\p{N}\\s\\-_',:\\[\\]!\\./\\\\\\(\\)&]*");
-  private static final Pattern HTML_CLASS = Pattern.compile(
-      "[a-zA-Z0-9\\s,\\-_]+");
-
-  private static final Pattern ONSITE_URL = Pattern.compile(
-      "(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
-  private static final Pattern OFFSITE_URL = Pattern.compile(
-      "\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]"
-      + "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*\\s*");
-
-  private static final Pattern NUMBER = Pattern.compile(
-      "[+-]?(?:(?:[0-9]+(?:\\.[0-9]*)?)|\\.[0-9]+)");
-
-  private static final Pattern NAME = Pattern.compile("[a-zA-Z0-9\\-_\\$]+");
-
-  private static final Pattern ALIGN = Pattern.compile(
-      "(?i)center|left|right|justify|char");
-
-  private static final Pattern VALIGN = Pattern.compile(
-      "(?i)baseline|bottom|middle|top");
-
-  private static final Predicate<String> COLOR_NAME_OR_COLOR_CODE
-      = new Predicate<String>() {
-        public boolean apply(String s) {
-          return COLOR_NAME.matcher(s).matches()
-              || COLOR_CODE.matcher(s).matches();
-        }
-      };
-
-  private static final Predicate<String> ONSITE_OR_OFFSITE_URL
-      = new Predicate<String>() {
-        public boolean apply(String s) {
-          return ONSITE_URL.matcher(s).matches()
-              || OFFSITE_URL.matcher(s).matches();
-        }
-      };
-
-  private static final Pattern HISTORY_BACK = Pattern.compile(
-      "(?:javascript:)?\\Qhistory.go(-1)\\E");
-
-  private static final Pattern ONE_CHAR = Pattern.compile(
-      ".?", Pattern.DOTALL);
-
-
-    public static final PolicyFactory POLICY_DEFINITION;
-
-    static {
-        POLICY_DEFINITION = new HtmlPolicyBuilder()
-                .allowAttributes("id").matching(HTML_ID).globally()
-                .allowAttributes("class").matching(HTML_CLASS).globally()
-                .allowAttributes("lang").matching(Pattern.compile("[a-zA-Z]{2,20}"))
-                .globally()
-                .allowAttributes("title").matching(HTML_TITLE).globally()
-                .allowStyling()
-                .allowAttributes("align").matching(ALIGN).onElements("p")
-                .allowAttributes("for").matching(HTML_ID).onElements("label")
-                .allowAttributes("color").matching(COLOR_NAME_OR_COLOR_CODE)
-                .onElements("font")
-                .allowAttributes("face")
-                .matching(Pattern.compile("[\\w;, \\-]+"))
-                .onElements("font")
-                .allowAttributes("size").matching(NUMBER).onElements("font")
-                .allowAttributes("href").matching(ONSITE_OR_OFFSITE_URL)
-                .onElements("a")
-                .allowStandardUrlProtocols()
-                .allowAttributes("nohref").onElements("a")
-                .allowAttributes("name").matching(NAME).onElements("a")
-                .allowAttributes(
-                        "onfocus", "onblur", "onclick", "onmousedown", "onmouseup")
-                .matching(HISTORY_BACK).onElements("a")
-                .requireRelNofollowOnLinks()
-                .allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL)
-                .onElements("img")
-                .allowAttributes("name").matching(NAME)
-                .onElements("img")
-                .allowAttributes("alt").matching(PARAGRAPH)
-                .onElements("img")
-                .allowAttributes("border", "hspace", "vspace").matching(NUMBER)
-                .onElements("img")
-                .allowAttributes("border", "cellpadding", "cellspacing")
-                .matching(NUMBER).onElements("table")
-                .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
-                .onElements("table")
-                .allowAttributes("background").matching(ONSITE_URL)
-                .onElements("table")
-                .allowAttributes("align").matching(ALIGN)
-                .onElements("table")
-                .allowAttributes("noresize").matching(Pattern.compile("(?i)noresize"))
-                .onElements("table")
-                .allowAttributes("background").matching(ONSITE_URL)
-                .onElements("td", "th", "tr")
-                .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
-                .onElements("td", "th")
-                .allowAttributes("abbr").matching(PARAGRAPH)
-                .onElements("td", "th")
-                .allowAttributes("axis", "headers").matching(NAME)
-                .onElements("td", "th")
-                .allowAttributes("scope")
-                .matching(Pattern.compile("(?i)(?:row|col)(?:group)?"))
-                .onElements("td", "th")
-                .allowAttributes("nowrap")
-                .onElements("td", "th")
-                .allowAttributes("height", "width").matching(NUMBER_OR_PERCENT)
-                .onElements("table", "td", "th", "tr", "img")
-                .allowAttributes("align").matching(ALIGN)
-                .onElements("thead", "tbody", "tfoot", "img",
-                        "td", "th", "tr", "colgroup", "col")
-                .allowAttributes("valign").matching(VALIGN)
-                .onElements("thead", "tbody", "tfoot",
-                        "td", "th", "tr", "colgroup", "col")
-                .allowAttributes("charoff").matching(NUMBER_OR_PERCENT)
-                .onElements("td", "th", "tr", "colgroup", "col",
-                        "thead", "tbody", "tfoot")
-                .allowAttributes("char").matching(ONE_CHAR)
-                .onElements("td", "th", "tr", "colgroup", "col",
-                        "thead", "tbody", "tfoot")
-                .allowAttributes("colspan", "rowspan").matching(NUMBER)
-                .onElements("td", "th")
-                .allowAttributes("span", "width").matching(NUMBER_OR_PERCENT)
-                .onElements("colgroup", "col")
-                .allowElements(
-                        "label", "noscript", "h1", "h2", "h3", "h4", "h5", "h6",
-                        "p", "i", "b", "u", "strong", "em", "small", "big", "pre", "code",
-                        "cite", "samp", "sub", "sup", "strike", "center", "blockquote",
-                        "hr", "br", "col", "font", "map", "span", "div", "img",
-                        "ul", "ol", "li", "dd", "dt", "dl", "tbody", "thead", "tfoot",
-                        "table", "td", "th", "tr", "colgroup", "fieldset", "legend")
-                .toFactory();
-    }
-
-    public static void main(String[] args) throws IOException {
-        if (args.length != 0) {
-            System.err.println("Reads from STDIN and writes to STDOUT");
-            System.exit(-1);
-        }
-        System.err.println("[Reading from STDIN]");
-        // Fetch the HTML to sanitize.
-        String html = CharStreams.toString(
-                new InputStreamReader(System.in, Charsets.UTF_8));
-        // Set up an output channel to receive the sanitized HTML.
-        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
-                System.out,
-                // Receives notifications on a failure to write to the output.
-                new Handler<IOException>() {
-                    public void handle(IOException ex) {
-                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
-                    }
-                },
-                // Our HTML parser is very lenient, but this receives notifications on
-                // truly bizarre inputs.
-                new Handler<String>() {
-                    public void handle(String x) {
-                        throw new AssertionError(x);
-                    }
-                }
-        );
-        // Use the policy defined above to sanitize the HTML.
-        HtmlSanitizer.sanitize(html, POLICY_DEFINITION.apply(renderer));
-    }
-}
\ No newline at end of file

core/src/main/java/hudson/markup/EscapedMarkupFormatter.java

+/*
+ * The MIT License
+ *
+ * Copyright 2011 Seiji Sogabe
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.markup;
+
+import hudson.Extension;
+import hudson.Util;
+import hudson.markup.MarkupFormatter;
+import hudson.markup.MarkupFormatterDescriptor;
+import java.io.IOException;
+import java.io.Writer;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+/**
+ * @link MarkupFormatter} that treats the input as the escaped html.
+ *
+ * @author Seiji Sogabe
+ * @since 1.553
+ */
+public class EscapedMarkupFormatter extends MarkupFormatter {
+
+    @DataBoundConstructor
+    public EscapedMarkupFormatter() {
+    }
+
+    @Override
+    public void translate(String markup, Writer output) throws IOException {
+        output.write(Util.escape(markup));
+    }
+
+    @Extension
+    public static class DescriptorImpl extends MarkupFormatterDescriptor {
+
+        @Override
+        public String getDisplayName() {
+            return "Escaped HTML";
+        }
+    }
+
+}

core/src/main/java/hudson/markup/HtmlPolicyBuilder2.java

-package hudson.markup;
-
-import com.google.common.base.Predicate;
-import org.owasp.html.HtmlPolicyBuilder;
-
-import java.util.regex.Pattern;
-
-/**
- * {@link HtmlPolicyBuilder} with additional
- * functions to simplify transcoding policy definition
- * from OWASP AntiSamy policy files.
- *
- * @author Kohsuke Kawaguchi
- */
-class HtmlPolicyBuilder2 extends HtmlPolicyBuilder {
-    public void tag(String names, Object... attributes) {
-        String[] tags = names.split(",");
-        for (int i=0; i<attributes.length; i++) {
-            String attName = (String)attributes[i];
-            if (i+1<attributes.length) {
-                Object operand = attributes[i+1];
-                if (operand instanceof Predicate) {
-                    Predicate p = (Predicate) operand;
-                    allowAttributes(attName).matching(p).onElements(tags);
-                    i++;
-                    continue;
-                }
-
-                if (operand instanceof Pattern) {
-                    Pattern p = (Pattern) operand;
-                    allowAttributes(attName).matching(p).onElements(tags);
-                    i++;
-                    continue;
-                }
-            }
-
-            // operand-less
-            allowAttributes(attName).onElements(tags);
-        }
-        allowElements(tags);
-    }
-}

core/src/main/java/hudson/markup/MyspacePolicy.java

-package hudson.markup;
-
-import com.google.common.base.Predicate;
-import com.google.common.base.Throwables;
-import org.owasp.html.Handler;
-import org.owasp.html.HtmlSanitizer;
-import org.owasp.html.HtmlStreamRenderer;
-import org.owasp.html.PolicyFactory;
-
-import java.io.IOException;
-import java.util.regex.Pattern;
-
-/**
- * Policy definition based on OWASP AntiSamy MySpace policy.
- *
- * @author Kohsuke Kawaguchi
- * @see <a href="https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file">OWASP AntiSamy MySpace Policy</a>
- */
-public class MyspacePolicy {
-    public static final PolicyFactory POLICY_DEFINITION;
-
-    private static final Pattern ONSITE_URL = Pattern.compile(
-        "(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
-    private static final Pattern OFFSITE_URL = Pattern.compile(
-        "\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]"
-        + "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*\\s*");
-  
-    private static final Predicate<String> ONSITE_OR_OFFSITE_URL
-        = new Predicate<String>() {
-          public boolean apply(String s) {
-            return ONSITE_URL.matcher(s).matches()
-                || OFFSITE_URL.matcher(s).matches();
-          }
-        };
-
-    static {
-        POLICY_DEFINITION = new HtmlPolicyBuilder2() {{
-            allowAttributes("id","class","lang","title",
-                    "alt","style","media","href","name","shape",
-                    "border","cellpadding","cellspacing","colspan","rowspan",
-                    "background","bgcolor","abbr","headers","charoff","char",
-                    "aixs","nowrap","width","height","align","valign","scope",
-                    "tabindex","disabled","readonly","accesskey","size",
-                    "autocomplete","rows","cols").globally();
-
-            disallowElements(
-                    // I'm allowing iframe
-                    "script","noscript",/*"iframe",*/"frameset","frame");
-
-            tag("label",    "for");
-            tag("form",     "action",ONSITE_URL,
-                            "method");
-            tag("button",   "value", "type");
-            tag("input",    "maxlength","checked",
-                            "src",ONSITE_OR_OFFSITE_URL,
-                            "usemap",ONSITE_URL,
-                            "type","value");
-            tag("select",   "multiple");
-            tag("option",   "value","label","selected");
-            tag("textarea");
-            tag("h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,blockquote");
-            tag("hr,br,col");
-            tag("font", "color", "face", "size");
-            tag("a",        "nohref","rel");
-            tag("style",    "type");
-            tag("span,div");
-            tag("img",      "src",ONSITE_OR_OFFSITE_URL,
-                            "hspace","vspace");
-            tag("ul,ol,li,dd,dl,dt,thead,tbody,tfoot");
-            tag("table",    "noresize");
-            tag("td,th,tr");
-            tag("colgroup", "span");
-            tag("col",      "span");
-            tag("fieldset,legend");
-            allowStandardUrlProtocols();
-        }}.toFactory();
-    }
-
-    public static void main(String[] args) throws IOException {
-        // Fetch the HTML to sanitize.
-        String html = "<a href='http://www.google.com/'>Google</a><img src='http://www.yahoo.com'>";
-        // Set up an output channel to receive the sanitized HTML.
-        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
-                System.out,
-                // Receives notifications on a failure to write to the output.
-                new Handler<IOException>() {
-                    public void handle(IOException ex) {
-                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
-                    }
-                },
-                // Our HTML parser is very lenient, but this receives notifications on
-                // truly bizarre inputs.
-                new Handler<String>() {
-                    public void handle(String x) {
-                        throw new AssertionError(x);
-                    }
-                }
-        );
-        // Use the policy defined above to sanitize the HTML.
-        HtmlSanitizer.sanitize(html, POLICY_DEFINITION.apply(renderer));
-    }
-}

core/src/main/java/hudson/markup/RawHtmlMarkupFormatter.java

-package hudson.markup;
-
-import com.google.common.base.Throwables;
-import hudson.Extension;
-import org.kohsuke.stapler.DataBoundConstructor;
-import org.owasp.html.Handler;
-import org.owasp.html.HtmlSanitizer;
-import org.owasp.html.HtmlStreamRenderer;
-
-import java.io.IOException;
-import java.io.Writer;
-
-/**
- * {@link MarkupFormatter} that treats the input as the raw html.
- * This is the backward compatible behaviour.
- *
- * @author Kohsuke Kawaguchi
- */
-public class RawHtmlMarkupFormatter extends MarkupFormatter {
-
-    final boolean disableSyntaxHighlighting;
-
-    @DataBoundConstructor
-    public RawHtmlMarkupFormatter(final boolean disableSyntaxHighlighting) {
-        this.disableSyntaxHighlighting = disableSyntaxHighlighting;
-    }
-
-    public boolean isDisableSyntaxHighlighting() {
-        return disableSyntaxHighlighting;
-    }
-
-    @Override
-    public void translate(String markup, Writer output) throws IOException {
-        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
-                output,
-                // Receives notifications on a failure to write to the output.
-                new Handler<IOException>() {
-                    public void handle(IOException ex) {
-                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
-                    }
-                },
-                // Our HTML parser is very lenient, but this receives notifications on
-                // truly bizarre inputs.
-                new Handler<String>() {
-                    public void handle(String x) {
-                        throw new Error(x);
-                    }
-                }
-        );
-        // Use the policy defined above to sanitize the HTML.
-        HtmlSanitizer.sanitize(markup, MyspacePolicy.POLICY_DEFINITION.apply(renderer));
-    }
-
-    public String getCodeMirrorMode() {
-        return disableSyntaxHighlighting ? null : "htmlmixed";
-    }
-
-    public String getCodeMirrorConfig() {
-        return "mode:'text/html'";
-    }
-
-    @Extension
-    public static class DescriptorImpl extends MarkupFormatterDescriptor {
-        @Override
-        public String getDisplayName() {
-            return "Raw HTML";
-        }
-    }
-
-    public static final MarkupFormatter INSTANCE = new RawHtmlMarkupFormatter(false);
-}

core/src/main/java/jenkins/model/Jenkins.java

@@ -120,7 +120,7 @@ import hudson.cli.declarative.CLIResolver;
 import hudson.lifecycle.Lifecycle;
 import hudson.logging.LogRecorderManager;
 import hudson.lifecycle.RestartNotSupportedException;
-import hudson.markup.RawHtmlMarkupFormatter;
+import hudson.markup.EscapedMarkupFormatter;
 import hudson.remoting.Callable;
 import hudson.remoting.LocalChannel;
 import hudson.remoting.VirtualChannel;
@@ -1282,8 +1282,9 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
      *      never null.
      * @since 1.391
      */
-    public MarkupFormatter getMarkupFormatter() {
-        return markupFormatter!=null ? markupFormatter : RawHtmlMarkupFormatter.INSTANCE;
+    public @Nonnull MarkupFormatter getMarkupFormatter() {
+        MarkupFormatter f = markupFormatter;
+        return f != null ? f : new EscapedMarkupFormatter();
     }
 
     /**

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config.jelly → core/src/main/resources/hudson/markup/EscapedMarkupFormatter/config.jelly

@@ -4,7 +4,4 @@
   <f:description>
     ${%blurb}
   </f:description>
-  <f:entry field="disableSyntaxHighlighting">
-      <f:checkbox title="${%disableSyntaxHighlighting}"/>
-  </f:entry>
 </j:jelly>

core/src/main/resources/hudson/markup/EscapedMarkupFormatter/config.properties

+blurb=Treats all input as plain text, with no HTML permitted.

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config.properties

-blurb=Treat the text as HTML and use it as is without any translation
-disableSyntaxHighlighting=Disable syntax highlighting

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_bg.properties

-# This file is under the MIT License by authors
-
-blurb=\u0421\u0447\u0438\u0442\u0430\u0439 \u0442\u0435\u043A\u0441\u0442\u0430 \u0437\u0430 HTML \u0438 \u0433\u043E \u043F\u0440\u0438\u0435\u043C\u0438 \u0431\u0435\u0437 \u043F\u0440\u0435\u0432\u043E\u0434
-disableSyntaxHighlighting=\u0418\u0437\u043A\u043B\u044E\u0447\u0432\u0430\u043D\u0435 \u043D\u0430 \u043E\u0446\u0432\u0435\u0442\u044F\u0432\u0430\u043D\u0435 \u043D\u0430 \u0441\u0438\u043D\u0442\u0430\u043A\u0441\u0438\u0441\u0430

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_cs.properties

-# This file is under the MIT License by authors
-
-blurb=Br\u00E1t text jako HTML a pou\u017E\u00EDt ho bez jak\u00E9hokoliv p\u0159ekladu
-disableSyntaxHighlighting=Zru\u0161it zv\u00FDraz\u0148ov\u00E1n\u00ED syntaxe

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_da.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-disableSyntaxHighlighting=Sl\u00E5 syntaks markering fra

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_de.properties

-blurb=Behandle den Text als HTML ohne jede bersetzung
-disableSyntaxHighlighting=Syntaxhervorhebung abschalten

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_es.properties

-# The MIT License
-#
-# Copyright (c) 2004-, Kohsuke Kawaguchi, Sun Microsystems, Inc., and a number of other of contributers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Utiliza el texto como HTML
-disableSyntaxHighlighting=Deshabilitar coloreado de sintaxis.

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_fi.properties

-# This file is under the MIT License by authors
-
-blurb=K\u00E4sittele teksti\u00E4 HTML:n\u00E4 ja k\u00E4yt\u00E4 sit\u00E4 sellaisenaan ilman k\u00E4\u00E4nn\u00F6st\u00E4

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_fr.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Consid\u00E9rer le texte comme du HTML et l''utiliser sans le traduire
-disableSyntaxHighlighting=D\u00E9sactiver la coloration syntaxique

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_hi_IN.properties

-# This file is under the MIT License by authors
-
-blurb=\u092A\u093E\u0920 \u0915\u094B HTML \u0915\u0947 \u0930\u0942\u092A \u092E\u0947\u0902 \u0926\u0947\u0916\u093F\u090F \u0914\u0930 \u0907\u0938\u0915\u093E \u0909\u092A\u092F\u094B\u0917 \u0915\u093F\u0938\u0940 \u092D\u0940 \u0905\u0928\u0941\u0935\u093E\u0926 \u0915\u0947 \u092C\u093F\u0928\u093E \u0915\u0930\u0947\u0902 
-disableSyntaxHighlighting=\u0935\u093E\u0915\u094D\u092F \u0930\u091A\u0928\u093E \u0938\u0947 \u092A\u094D\u0930\u0915\u093E\u0936 \u0939\u091F\u093E\u092F\u0947\u0902 

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_hu.properties

-# This file is under the MIT License by authors
-
-blurb=A sz\u00F6veg kezel\u00E9se HTML-k\u00E9nt \u00E9s felhaszn\u00E1l\u00E1sa ford\u00EDt\u00E1s n\u00E9lk\u00FCl
-disableSyntaxHighlighting=Szintaxis kiemel\u00E9s tilt\u00E1sa

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_it.properties

-# This file is under the MIT License by authors
-
-blurb=tratta il testo come HTML e usalo senza intepretarlo
-disableSyntaxHighlighting=Disabilita il syntax highlighting

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_ja.properties

-blurb=\u30c6\u30ad\u30b9\u30c8\u3092HTML\u3068\u3057\u3066\u6271\u3044\u3001\u5909\u66f4\u3059\u308b\u3053\u3068\u306a\u304f\u305d\u306e\u307e\u307e\u4f7f\u7528\u3057\u307e\u3059\u3002
-disableSyntaxHighlighting=\u30b7\u30f3\u30bf\u30c3\u30af\u30b9\u30cf\u30a4\u30e9\u30a4\u30c8\u3092\u7121\u52b9\u306b\u3059\u308b
\ No newline at end of file

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_ko.properties

-# This file is under the MIT License by authors
-
-blurb=\uD14D\uC2A4\uD2B8\uB97C HTML\uB85C \uB2E4\uB8E8\uACE0 \uBC88\uC5ED\uD558\uC9C0 \uC54A\uACE0 \uADF8\uB300\uB85C \uC0AC\uC6A9\uD569\uB2C8\uB2E4.
-disableSyntaxHighlighting=\uBB38\uBC95 \uD558\uC774\uB77C\uC774\uD305 \uBE44\uD65C\uC131\uD654

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_lt.properties

-# This file is under the MIT License by authors
-
-disableSyntaxHighlighting=I\u0161jungti spalvinim\u0105 pagal sintaks\u0119

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_lv.properties

-# This file is under the MIT License by authors
-
-disableSyntaxHighlighting=Atsp\u0113jot sintakses izgaismo\u0161anu

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_nb_NO.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Behandle teksten som HTML og bruk den uten oversettelse
-disableSyntaxHighlighting=Skru av syntaksmarkering

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_nl.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Gebruik deze tekst als HTML zonder vertaling
-disableSyntaxHighlighting=Syntaxnadruk uitschakelen

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_pl.properties

-# This file is under the MIT License by authors
-
-blurb=Uznaj tekst za HTML i u\u017Cyj go bez jakiegokolwiek t\u0142umaczenia
-disableSyntaxHighlighting=Wy\u0142\u0105cz wyr\u00F3\u017Cnianie sk\u0142adni

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_pt_BR.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Tratar o texto como HTML e us\u00E1-lo como \u00E9, sem qualquer tradu\u00E7\u00E3o
-disableSyntaxHighlighting=Desabilitar destaque de sintaxe

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_pt_PT.properties

-# This file is under the MIT License by authors
-
-blurb=Tratar o texto como HTML e usar sem qualquer transla\u00E7\u00E3o
-disableSyntaxHighlighting=Desactivar destaque de sintaxe.

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_ru.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=\u0422\u0440\u0430\u043A\u0442\u043E\u0432\u0430\u0442\u044C \u0442\u0435\u043A\u0441\u0442 \u043A\u0430\u043A HTML \u0438 \u0438\u0441\u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u044C \u0435\u0433\u043E "\u043A\u0430\u043A \u0435\u0441\u0442\u044C", \u0431\u0435\u0437 \u043A\u0430\u043A\u043E\u0439-\u043B\u0438\u0431\u043E \u043E\u0431\u0440\u0430\u0431\u043E\u0442\u043A\u0438
-disableSyntaxHighlighting=\u0412\u044B\u043A\u043B\u044E\u0447\u0438\u0442\u044C \u043F\u043E\u0434\u0441\u0432\u0435\u0442\u043A\u0443 \u0441\u0438\u043D\u0442\u0430\u043A\u0441\u0438\u0441\u0430

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_sk.properties

-# This file is under the MIT License by authors
-
-disableSyntaxHighlighting=Zak\u00E1\u017E syntaktick\u00E9 zv\u00FDraz\u0148ovanie

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_sv_SE.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=Behandla texten som HTML och anv\u00E4nd den som den \u00E4r, utan att \u00F6vers\u00E4tta den
-disableSyntaxHighlighting=Inaktivera syntaxmarkering

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_uk.properties

-# This file is under the MIT License by authors
-
-blurb=\u0421\u043F\u0440\u0438\u0439\u043C\u0430\u0442\u0438 \u0442\u0435\u043A\u0441\u0442 \u044F\u043A HTML \u0456 \u0432\u0438\u043A\u043E\u0440\u0438\u0441\u0442\u043E\u0432\u0443\u0432\u0430\u0442\u0438 \u0439\u043E\u0433\u043E "\u044F\u043A \u0454" \u0431\u0435\u0437 \u0436\u043E\u0434\u043D\u043E\u0433\u043E \u043F\u0435\u0440\u0435\u043A\u043B\u0430\u0434\u0443
-disableSyntaxHighlighting=\u0412\u0438\u043C\u043A\u043D\u0443\u0442\u0438 \u043F\u0456\u0434\u0441\u0432\u0456\u0442\u043A\u0443 \u0441\u0438\u043D\u0442\u0430\u043A\u0441\u0438\u0441\u0443

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_zh_CN.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=\u5C06\u6587\u672C\u4F5C\u4E3A HTML \u5E76\u4E14\u4E0D\u52A0\u4EFB\u4F55\u7FFB\u8BD1
-disableSyntaxHighlighting=\u7981\u7528\u8BED\u6CD5\u9AD8\u4EAE

core/src/main/resources/hudson/markup/RawHtmlMarkupFormatter/config_zh_TW.properties

-# The MIT License
-#
-# Copyright (c) 2004-2010, Sun Microsystems, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-blurb=\u5C07\u9019\u4E9B\u6587\u5B57\u8996\u70BA HTML\uFF0C\u539F\u6C41\u539F\u5473\u7684\u986F\u793A\u51FA\u4F86
-disableSyntaxHighlighting=\u95DC\u9589\u8A9E\u6CD5\u5F69\u8272\u6A19\u793A

core/src/test/java/hudson/markup/MyspacePolicyTest.java

-package hudson.markup;
-
-import com.google.common.base.Throwables;
-import org.junit.Assert;
-import org.junit.Test;
-import org.owasp.html.Handler;
-import org.owasp.html.HtmlSanitizer;
-import org.owasp.html.HtmlStreamRenderer;
-
-import java.io.IOException;
-
-/**
- * @author Kohsuke Kawaguchi
- */
-public class MyspacePolicyTest extends Assert {
-    @Test
-    public void testPolicy() {
-        assertIntact("<a href='http://www.cloudbees.com'>CB</a>");
-        assertIntact("<a href='relative/link'>relative</a>");
-        assertIntact("<a href='mailto:kk&#64;kohsuke.org'>myself</a>");
-        assertReject("javascript","<a href='javascript:alert(5)'>test</a>");
-
-        assertIntact("<img src='http://www.cloudbees.com'>");
-        assertIntact("<img src='relative/test.png'>");
-        assertIntact("<img src='relative/test.png'>");
-        assertReject("javascript","<img src='javascript:alert(5)'>");
-
-        assertIntact("<b><i><u><strike>basic tag</strike></u></i></b>");
-        assertIntact("<div><p>basic block tags</p></div>");
-
-        assertIntact("<ul><li>1</li><li>2</li><li>3</li></ul>");
-        assertIntact("<ol><li>x</li></ol>");
-        assertIntact("<dl><dt>abc</dt><dd>foo</dd></dl>");
-        assertIntact("<table><tr><th>header</th></tr><tr><td>something</td></tr></table>");
-        assertIntact("<h1>title</h1><blockquote>blurb</blockquote>");
-
-        assertReject("iframe", "<iframe src='nested'></iframe>");
-
-        assertReject("script","<script>window.alert(5);</script>");
-        assertReject("script","<script src='http://foo/evil.js'></script>");
-        assertReject("script","<script src='relative.js'></script>");
-
-        assertIntact("<style>H1 { display:none; }</style>");
-        assertReject("link", "<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
-        assertIntact("<div style='background-color:white'>inline CSS</div>");
-        assertIntact("<br><hr>");
-
-        assertReject("sun.com", "<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
-    }
-
-    private void assertIntact(String input) {
-        input = input.replace('\'','\"');
-        assertSanitize(input,input);
-    }
-    
-    private void assertReject(String problematic, String input) {
-        String out = sanitize(input);
-        assertFalse(out, out.contains(problematic));
-    }
-    
-    private void assertSanitize(String expected, String input) {
-        assertEquals(expected,sanitize(input));
-    }
-
-    private String sanitize(String input) {
-        StringBuilder buf = new StringBuilder();
-        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
-                buf,
-                // Receives notifications on a failure to write to the output.
-                new Handler<IOException>() {
-                    public void handle(IOException ex) {
-                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
-                    }
-                },
-                // Our HTML parser is very lenient, but this receives notifications on
-                // truly bizarre inputs.
-                new Handler<String>() {
-                    public void handle(String x) {
-                        throw new AssertionError(x);
-                    }
-                }
-        );
-        HtmlSanitizer.sanitize(input, MyspacePolicy.POLICY_DEFINITION.apply(renderer));
-        return buf.toString();
-    }
-}

test/pom.xml

@@ -87,6 +87,11 @@ THE SOFTWARE.
       <artifactId>matrix-auth</artifactId>
       <version>1.0.2</version>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>antisamy-markup-formatter</artifactId>
+      <version>1.0</version>
+    </dependency>
     <dependency>
       <groupId>org.mortbay.jetty</groupId>
       <artifactId>jetty</artifactId>

test/src/test/groovy/lib/form/ApplyButtonTest.groovy

 package lib.form
 
+import hudson.markup.RawHtmlMarkupFormatter
 import org.junit.Rule
 import org.junit.Test
 import org.jvnet.hudson.test.Bug
@@ -18,6 +19,7 @@ class ApplyButtonTest {
      */
     @Test @Bug(18436)
     public void editDescription() {
+        j.jenkins.markupFormatter = RawHtmlMarkupFormatter.INSTANCE // need something using CodeMirror
         def p = j.createFreeStyleProject()
         def b = j.assertBuildStatusSuccess(p.scheduleBuild2(0))
 

war/pom.xml

@@ -350,6 +350,12 @@ THE SOFTWARE.
                   <version>1.0</version>
                   <type>hpi</type>
                 </artifactItem>
+                <artifactItem>
+                  <groupId>org.jenkins-ci.plugins</groupId>
+                  <artifactId>antisamy-markup-formatter</artifactId>
+                  <version>1.0</version>
+                  <type>hpi</type>
+                </artifactItem>
               </artifactItems>
               <outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/plugins</outputDirectory>
               <stripVersion>true</stripVersion>