follow up fix to rev.21175.

- toString -> getShortDescription so that ParameterValue.getShortDescription() can explain what this method is expected to return.
- added proper HTML escape to avoid XSS vulnerability.
- modified to use StringBuilder for string concatanation.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@21252 71c3de6d-444a-0410-be80-ed276b4c234a

core/src/main/java/hudson/Util.java

@@ -710,6 +710,7 @@ public class Util {
      * Escapes HTML unsafe characters like <, & to the respective character entities.
      */
     public static String escape(String text) {
+        if (text==null)     return null;
         StringBuilder buf = new StringBuilder(text.length()+64);
         for( int i=0; i<text.length(); i++ ) {
             char ch = text.charAt(i);

core/src/main/java/hudson/model/FileParameterValue.java

@@ -107,7 +107,7 @@ public class FileParameterValue extends ParameterValue {
 	}
 	
 	@Override
-    public String toString() {
+    public String getShortDescription() {
     	return "(FileParameterValue) " + getName() + "='" + file.getName() + "'";
     }
     

core/src/main/java/hudson/model/ParameterValue.java

@@ -196,4 +196,16 @@ public abstract class ParameterValue implements Serializable {
 		return true;
 	}
 
+    /**
+     * Computes a human-readable possible-localized one-line description of the parameter value.
+     *
+     * <P>
+     * This message is used as a tooltip to describe jobs in the queue. The text should be one line without
+     * new line. No HTML allowed (the caller will perform necessary HTML escapes, so any text can be returend.)
+     *
+     * @since 1.323
+     */
+    public String getShortDescription() {
+        return toString();
+    }
 }

core/src/main/java/hudson/model/Queue.java

@@ -1153,16 +1153,16 @@ public class Queue extends ResourceController implements Saveable {
          */
         @Exported
         public String getParams() {
-        	String s = "";
+        	StringBuilder s = new StringBuilder();
         	for(Action action : getActions()) {
         		if(action instanceof ParametersAction) {
         			ParametersAction pa = (ParametersAction)action;
         			for (ParameterValue p : pa.getParameters()) {
-        				s = s + "<br>" + p.toString();
+        				s.append('\n').append(p.getShortDescription());
         			}
         		}
         	}
-        	return s;
+        	return s.toString();
         }
         
         public boolean hasCancelPermission() {

core/src/main/java/hudson/model/RunParameterValue.java

@@ -27,13 +27,6 @@ import org.kohsuke.stapler.DataBoundConstructor;
 
 import java.util.Map;
 
-import com.thoughtworks.xstream.converters.Converter;
-import com.thoughtworks.xstream.converters.MarshallingContext;
-import com.thoughtworks.xstream.converters.UnmarshallingContext;
-import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
-import com.thoughtworks.xstream.io.HierarchicalStreamReader;
-import hudson.util.Secret;
-
 public class RunParameterValue extends ParameterValue {
 
     private final String runId;
@@ -66,7 +59,7 @@ public class RunParameterValue extends ParameterValue {
     }
     
     @Override
-    public String toString() {
+    public String getShortDescription() {
     	return "(RunParameterValue) " + getName() + "='" + getRunId() + "'";
     }
 

core/src/main/resources/lib/hudson/queue.jelly

@@ -57,7 +57,7 @@ THE SOFTWARE.
       <j:otherwise>
         <j:forEach var="item" items="${items}">
           <tr>
-            <td class="pane" width="100%" tooltip="${item.why}${item.params}" style="white-space: normal;">
+            <td class="pane" width="100%" tooltip="${item.why}${h.escape(item.params)}" style="white-space: normal;">
               <j:set var="stuck" value="${item.isStuck()}"/>
               <j:choose>
                 <j:when test="${h.hasPermission(item.task,item.task.READ)}">