Merge pull request #15 from jenkinsci-cert/SECURITY-171

[SECURITY-171] XSS in FormValidation._error(..., Throwable, ...)

core/src/main/java/hudson/util/FormValidation.java

@@ -196,7 +196,7 @@ public abstract class FormValidation extends IOException implements HttpResponse
             " <a href='#' class='showDetails'>"
             + Messages.FormValidation_Error_Details()
             + "</a><pre style='display:none'>"
-            + Functions.printThrowable(e) +
+            + Util.escape(Functions.printThrowable(e)) +
             "</pre>",kind
         );
     }

core/src/test/java/hudson/util/FormValidationTest.java

@@ -23,6 +23,10 @@
  */
 package hudson.util;
 
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.MatcherAssert.assertThat;
+
 import junit.framework.TestCase;
 
 /**
@@ -51,4 +55,9 @@ public class FormValidationTest extends TestCase {
     public void testMessage() {
         assertEquals("test msg", FormValidation.errorWithMarkup("test msg").getMessage());
     }
+
+    public void testFormValidationException() {
+        FormValidation fv = FormValidation.error(new Exception("<html"), "Message<html");
+        assertThat(fv.renderHtml(), not(containsString("<html")));
+    }
 }