From ef84348861868fc023b74780e2dcb2671549ad94 Mon Sep 17 00:00:00 2001 From: kohsuke Date: Sun, 30 Aug 2009 16:33:39 +0000 Subject: [PATCH] follow up fix to rev.21175. - toString -> getShortDescription so that ParameterValue.getShortDescription() can explain what this method is expected to return. - added proper HTML escape to avoid XSS vulnerability. - modified to use StringBuilder for string concatanation. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@21252 71c3de6d-444a-0410-be80-ed276b4c234a --- core/src/main/java/hudson/Util.java | 1 + .../main/java/hudson/model/FileParameterValue.java | 2 +- core/src/main/java/hudson/model/ParameterValue.java | 12 ++++++++++++ core/src/main/java/hudson/model/Queue.java | 6 +++--- .../main/java/hudson/model/RunParameterValue.java | 9 +-------- core/src/main/resources/lib/hudson/queue.jelly | 2 +- 6 files changed, 19 insertions(+), 13 deletions(-) diff --git a/core/src/main/java/hudson/Util.java b/core/src/main/java/hudson/Util.java index 21ac7767c9..b1d9dfeb58 100644 --- a/core/src/main/java/hudson/Util.java +++ b/core/src/main/java/hudson/Util.java @@ -710,6 +710,7 @@ public class Util { * Escapes HTML unsafe characters like <, & to the respective character entities. */ public static String escape(String text) { + if (text==null) return null; StringBuilder buf = new StringBuilder(text.length()+64); for( int i=0; i + * This message is used as a tooltip to describe jobs in the queue. The text should be one line without + * new line. No HTML allowed (the caller will perform necessary HTML escapes, so any text can be returend.) + * + * @since 1.323 + */ + public String getShortDescription() { + return toString(); + } } diff --git a/core/src/main/java/hudson/model/Queue.java b/core/src/main/java/hudson/model/Queue.java index 2a5cdeab5b..9ec8876f15 100644 --- a/core/src/main/java/hudson/model/Queue.java +++ b/core/src/main/java/hudson/model/Queue.java @@ -1153,16 +1153,16 @@ public class Queue extends ResourceController implements Saveable { */ @Exported public String getParams() { - String s = ""; + StringBuilder s = new StringBuilder(); for(Action action : getActions()) { if(action instanceof ParametersAction) { ParametersAction pa = (ParametersAction)action; for (ParameterValue p : pa.getParameters()) { - s = s + "
" + p.toString(); + s.append('\n').append(p.getShortDescription()); } } } - return s; + return s.toString(); } public boolean hasCancelPermission() { diff --git a/core/src/main/java/hudson/model/RunParameterValue.java b/core/src/main/java/hudson/model/RunParameterValue.java index 3ed2f60516..f7daf600e9 100644 --- a/core/src/main/java/hudson/model/RunParameterValue.java +++ b/core/src/main/java/hudson/model/RunParameterValue.java @@ -27,13 +27,6 @@ import org.kohsuke.stapler.DataBoundConstructor; import java.util.Map; -import com.thoughtworks.xstream.converters.Converter; -import com.thoughtworks.xstream.converters.MarshallingContext; -import com.thoughtworks.xstream.converters.UnmarshallingContext; -import com.thoughtworks.xstream.io.HierarchicalStreamWriter; -import com.thoughtworks.xstream.io.HierarchicalStreamReader; -import hudson.util.Secret; - public class RunParameterValue extends ParameterValue { private final String runId; @@ -66,7 +59,7 @@ public class RunParameterValue extends ParameterValue { } @Override - public String toString() { + public String getShortDescription() { return "(RunParameterValue) " + getName() + "='" + getRunId() + "'"; } diff --git a/core/src/main/resources/lib/hudson/queue.jelly b/core/src/main/resources/lib/hudson/queue.jelly index ba29f93cc1..b04405b407 100644 --- a/core/src/main/resources/lib/hudson/queue.jelly +++ b/core/src/main/resources/lib/hudson/queue.jelly @@ -57,7 +57,7 @@ THE SOFTWARE. - + -- GitLab