[HUDSON-6287] add escape-by-default for layout.jelly to avoid XSS attack from

page title as described in case #1 in this issue. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@30280 71c3de6d-444a-0410-be80-ed276b4c234a

[HUDSON-6287] add escape-by-default for layout.jelly to avoid XSS attack from
page title as described in case #1 in this issue. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@30280 71c3de6d-444a-0410-be80-ed276b4c234a
a101330e · mindless · 5ae67f41 · a101330e
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

core/src/main/resources/lib/layout/layout.jelly core/src/main/resources/lib/layout/layout.jelly +4 -3

未找到文件。
--- a/core/src/main/resources/lib/layout/layout.jelly
+++ b/core/src/main/resources/lib/layout/layout.jelly
 <!--
 The MIT License

-Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Daniel Dyer, Seiji Sogabe, Tom Huybrechts
+Copyright (c) 2004-2010, Sun Microsystems, Inc., Kohsuke Kawaguchi,
+Daniel Dyer, Seiji Sogabe, Tom Huybrechts

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -21,7 +22,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
-
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:i="jelly:fmt">
  <st:documentation>
    Outer-most tag for a normal (non-AJAX) HTML rendering.
@@ -184,7 +185,7 @@ THE SOFTWARE.
                  <j:whitespace> &#187; </j:whitespace>
                </j:if>
                <a href="${anc.url}/">
-                  ${h.escape(anc.object.displayName)}
+                  ${anc.object.displayName}
                </a>
              </j:if>
            </j:if>