[FIXED JENKINS-8789] Use jsStringEscape in a few places when contructing checkUrl,

as this content later gets eval'ed. Javascript errors could occur when view names or user names contained '

[FIXED JENKINS-8789] Use jsStringEscape in a few places when contructing checkUrl,
as this content later gets eval'ed. Javascript errors could occur when view names or user names contained '
e1c2c970 · alanharder · 3a3690b2 · e1c2c970 · e1c2c970 · e1c2c970
5 changed file
--- a/changelog.html
+++ b/changelog.html
@@ -73,6 +73,9 @@ Upcoming changes</a>
    Multiple polling events triggering a single build show up as multiple identical BuildActions in the sidebar, since there
    is only one polling log file, regardless of how many times polling happened. Should only be the latest polling instance now.
    (<a href="http://issues.jenkins-ci.org/browse/JENKINS-7649">issue 7649</a>)
+  <li class=bug>
+    Fix javascript errors on config pages when view name or user name contains an apostrophe.
+    (<a href="http://issues.jenkins-ci.org/browse/JENKINS-8789">issue 8789</a>)
  <li class=rfe>
    Lock down maven plugin versions to shut up m3
    (<a href="http://issues.jenkins-ci.org/browse/JENKINS-7275">issue 7275</a>)

--- a/core/src/main/java/hudson/model/Descriptor.java
+++ b/core/src/main/java/hudson/model/Descriptor.java
 /*
 * The MIT License
 * 
- * Copyright (c) 2004-2010, Sun Microsystems, Inc., Kohsuke Kawaguchi
+ * Copyright (c) 2004-2011, Sun Microsystems, Inc., Kohsuke Kawaguchi
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
@@ -24,12 +24,11 @@
 package hudson.model;

 import hudson.DescriptorExtensionList;
-import hudson.ExtensionComponent;
 import hudson.RelativePath;
 import hudson.XmlFile;
 import hudson.BulkChange;
 import hudson.Util;
-import static hudson.Util.singleQuote;
+import static hudson.Functions.jsStringEscape;
 import hudson.diagnosis.OldDataMonitor;
 import hudson.model.listeners.SaveableListener;
 import hudson.util.ReflectionUtils;
@@ -317,7 +316,7 @@ public abstract class Descriptor<T extends Describable<T>> implements Saveable {

        // put this under the right contextual umbrella.
        // a is always non-null because we already have Hudson as the sentinel
-        return singleQuote(getCurrentDescriptorByNameUrl()+'/')+'+'+method;
+        return '\'' + jsStringEscape(getCurrentDescriptorByNameUrl()) + "/'+" + method;
    }

    private String calcCheckUrl(String fieldName) {
@@ -328,7 +327,7 @@ public abstract class Descriptor<T extends Describable<T>> implements Saveable {
        if(method==null)
            return NONE;

-        return singleQuote(getDescriptorUrl() +"/check"+capitalizedFieldName) + buildParameterList(method, new StringBuilder()).append(".toString()");
+        return '\'' + getDescriptorUrl() + "/check" + capitalizedFieldName + '\'' + buildParameterList(method, new StringBuilder()).append(".toString()");
    }

    /**

--- a/core/src/main/resources/hudson/model/MyViewsProperty/config.jelly
+++ b/core/src/main/resources/hudson/model/MyViewsProperty/config.jelly
 <!--
 The MIT License

-Copyright (c) 2004-2009, Sun Microsystems, Inc., Tom Huybrechts
+Copyright (c) 2004-2011, Sun Microsystems, Inc., Tom Huybrechts, Alan Harder

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -25,6 +25,6 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
  <f:entry title="${%Default View}"
    description="${%description}">
-    <f:textbox field="primaryViewName" checkUrl="'${rootURL}/${instance.url}/viewExistsCheck?value='+encodeURIComponent(this.value)+'&amp;exists=true'"/>
+    <f:textbox field="primaryViewName" checkUrl="'${rootURL}/${h.jsStringEscape(instance.url)}viewExistsCheck?value='+encodeURIComponent(this.value)+'&amp;exists=true'"/>
  </f:entry>
-</j:jelly>
\ No newline at end of file
+</j:jelly>
--- a/core/src/main/resources/hudson/model/MyViewsProperty/newView.jelly
+++ b/core/src/main/resources/hudson/model/MyViewsProperty/newView.jelly
 <!--
 The MIT License

-Copyright (c) 2004-2010, Sun Microsystems, Inc., Kohsuke Kawaguchi, id:cactusman, Yahoo! Inc., Tom Huybrechts
+Copyright (c) 2004-2011, Sun Microsystems, Inc., Kohsuke Kawaguchi,
+id:cactusman, Yahoo! Inc., Tom Huybrechts, Alan Harder

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -34,7 +35,7 @@ THE SOFTWARE.
    <l:main-panel>
      <f:form method="post" action="createView" name="createView">
        <f:entry title="${%View name}">
-          <f:textbox id="name" name="name" checkUrl="'${rootURL}/${it.url}/viewExistsCheck?value='+encodeURIComponent(this.value)+'&amp;exists=false'"
+          <f:textbox id="name" name="name" checkUrl="'${rootURL}/${h.jsStringEscape(it.url)}viewExistsCheck?value='+encodeURIComponent(this.value)+'&amp;exists=false'"
                     onchange="updateOk(this.form)" onkeyup="updateOk(this.form)" />
          <script>
            $('name').focus();

--- a/core/src/main/resources/hudson/model/ProxyView/configure-entries.jelly
+++ b/core/src/main/resources/hudson/model/ProxyView/configure-entries.jelly
@@ -36,6 +36,6 @@ THE SOFTWARE.

        <f:textbox
            field="proxiedViewName"
-            checkUrl="'${rootURL}/${it.url}/viewExistsCheck?value='+encodeURIComponent(this.value)" />
+            checkUrl="'${rootURL}/${h.jsStringEscape(it.url)}viewExistsCheck?value='+encodeURIComponent(this.value)" />
 -->
 </j:jelly>