Skip to content

Commit

Permalink
[JENKINS-32428] Escape xml and json outputs in REST API (#120)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Rechi @oleg-nenashev
Rechi authored and oleg-nenashev committed Jun 20, 2017
1 parent 5066aee commit 32c7a4c
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions src/main/java/org/jenkinsci/plugins/envinject/EnvInjectVarList.java
View file
Expand Up @@ -117,7 +117,7 @@ private void writeXmlResponse(@Nonnull StaplerResponse response) throws IOExcept
ServletOutputStream outputStream = response.getOutputStream();
outputStream.write("<envVars>".getBytes());
for (Map.Entry<String, String> entry : envVars.entrySet()) {
outputStream.write(String.format("<envVar name=\"%s\" value=\"%s\"/>", entry.getKey(), entry.getValue()).getBytes());
outputStream.write(String.format("<envVar name=\"%s\" value=\"%s\"/>", escapeXml(entry.getKey()), escapeXml(entry.getValue())).getBytes());
}
outputStream.write("</envVars>".getBytes());
}
Expand All @@ -128,12 +128,20 @@ private void writeJsonResponse(@Nonnull StaplerResponse response) throws IOExcep
outputStream.write("{\"envVars\": { \"envVar\":[".getBytes());
StringBuilder sb = new StringBuilder();
for (Map.Entry<String, String> entry : envVars.entrySet()) {
sb.append(String.format(", {\"name\":\"%s\", \"value\":\"%s\"}", entry.getKey(), entry.getValue()));
sb.append(String.format(", {\"name\":\"%s\", \"value\":\"%s\"}", escapeJson(entry.getKey()), escapeJson(entry.getValue())));
}
sb.delete(0, 1);
outputStream.write(sb.toString().getBytes());
outputStream.write("]}}".getBytes());
}

private String escapeXml(String xml) {
return xml.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;").replace("\"", "&quot;").replace("'", "&apos;");
}

private String escapeJson(String json) {
return json.replace("\"", "\\\"").replace("\\", "\\\\");
}

//TODO: Throw errors in responses?
/**
Expand Down

0 comments on commit 32c7a4c

Please sign in to comment.