For instance, use PegDown Formatter and enable SUPPRESS_ALL_HTML.

Unlike [JENKINS-14514] this is a true fix rather than a workaround (now removed), and is more general.
cjo9900 discovered that behaviors were being redundantly registered (as of 1.474 the monolithic JS is broken up);
this caused some behaviors to be run repeatedly on the same elements, breaking reasonable expectations of some behaviors.
The ideal fix would be to change Behavior.register to be idempotent: for example, key it by selector, then maintain a set of distinct behavior functions for each.
Unfortunately some adjuncts directly call Behavior.list.unshift, bypassing register(...), which would be tricky to intercept (would need to make a mock of Array).
The known one cases are in core, but it is possible plugin adjuncts do this too, in which case it would be incompatible to (say) change the Array<Map<String,Behavior>> to a Map<String,Array<Behavior>>.
Instead, permitting redundant registrations as before, and just silently skipping all but the first at runtime when applying behaviors.
Beware that since adjuncts are loaded from multiple places, different JS function objects are registered each time, so a naive set of behavior functions does not work;
have to identify functions by their toString in order to ensure that each is run only once.
(Currently once _per selector_, conceivably >1x per element; could if necessary be refined to make sure a given behavior is only run once on a given element during one call to applySubtree even if the element matches multiple selectors.)

[FIXED JENKINS-13916] Text parameters are now defined and shown in a textarea instead of a one line textbox.

Seems to be due to hetero-list.jelly importing repeatableDeleteButton.jelly but nothing on the page loads repeatable.js.
(Presumably worked for /configure just by accident because someone else included repeatable.jelly on the same page.)

Not yet clear to me exactly what went wrong, but debugging shows that the init(...) function
is called twice: once with legitimate arguments, then again with a bogus 'master' argument.
Seems to suffice to ignore redundant initializations of the same element.

This prevents the section title from getting hidden by the breadcrumb
bar.

One of the problems with the current way Jenkins puts JavaScripts is that most everything is in a single file. It doesn't highlight the relationship between those fragments and their corresponding tag files.

So I'm experimenting with moving out these fragments into individual JavaScript files co-located with the tag file. They then get loaded into the page via <st:adjunct>. Each script is served with unique URL such that the browser will not even have to try conditional GET when loading different pages, so this should prevent the performance problem caused by the fact that there are now lots of <script> tags in the page.

 If for some reason even this turns out to be a problem, we can always add additional build steps to concatenate them all.

This makes it consistent with other buttons like repeatable-add-button, and use of '-' prevents name collisions with form names, and make all of those UI controls addressible in the same namespace

Adding a test and fixed a broken databinding (because of SCM vs Scm)

... not from user's point of view, but more from implementation point of
view (and this can be used to push SCM retry counts out of the core.)

To avoid cluttering the UI unnecessarily, adding isApplicable() to
SCMCheckoutStrategyDescriptor so that it can nominate itself only for
matrix projects.

It uses Diffie Hellman to come up with one-time session key, then have
the server sign this session key to allow the client to verify that
there's no man in the middle.

The previous implementation was always appending the per-configuration unique suffix, making it impossible for different configuration builds to share workspaces. In this fix, we introduce a secondary field to control the workspace of sub-builds (which can be either absolute or relative to the matrix head workspace.)

With a textarea the likelyhood of the value exceeding the maximum safe length for a GET request (which IE8/9 pegs to somewhere between 2k and 5k depending on the context) is too great as to not provide for the checkMethod to be specified in order to allow for POST requests to be used in place of GET requests for form validation

If a resource with 'Set-Cookie' header is cached (either by intermediary
like HTTP proxy and reverse proxy, or by the browser), it'll cause
identity swap / session mix-up as discussed in this ticket.

I suspect this was caused by HttpSessionContextIntegrationFilter2, which
is the only code path that attempts to create a session when a request
to a static resource is made.

So I'm disabling the creation of session in
HttpSessionContextIntegrationFilter2. This in turn requires that we
have sessions already created when the authentication was successful and
people need to login (or else the login will have no effect.)

We already do so in layout.jelly, so any request that renders a Jenkins
page would have a session, but I've also added it in
AuthenticationProcessingFilter2, which ensures that a successful login
does have a session.