[FIXED SECURITY-192] - Require Jenkins.READ permissions to access CLI pages

[SECURITY-173] use XMLUtils safe transformation to create a job from xml

[SECURITY-177] Reflected XSS in AdjunctManager.doDynamic

Added a test case to cover bases

Conflicts:
	test/src/test/java/hudson/model/UserTest.java

[SECURITY-171] XSS in FormValidation._error(..., Throwable, ...)

[SECURITY-180] arbitrary API Token change/leak via changeToken

Add nosniff header liberally to every request we serve.

With the server-side download, the test needs to induce the update
center metadata retrieval in a separate manner.

Conflicts:
	pom.xml

[SECURITY-167] Plugin manager was also vulnerable to XXE attacks.

Although the plugiun manager was vulnerable getting information
out of Jenkins was harder - however it would still be possible to
do bad things such as reading from /dev/zero on Linux

Conflicts:
	test/src/test/java/hudson/tasks/ArtifactArchiverTest.java

[SECURITY-162] Forbid symlink attacks from artifact archiving

Conflicts:
	core/src/main/java/hudson/model/Api.java

[SECURITY-165] blacklist the document xpath function for use in Api

Review comments fixed:
 Added license header
 Reformat the issue comment
 Restricted NoExternalUse
 toLowerCase in English locale
 lesser resolution of declared exception from the test

Conflicts:
	test/src/test/java/hudson/tasks/BuildTriggerTest.java

@RandomlyFails