[JENKINS-9426] get rid of the unwanted escape for XSS.

jenkinsci · Apr 18, 2011 · a903b3a · a903b3a
1 parent bd81819
commit a903b3a
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 11 deletions.
diff --git a/core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly b/core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
@@ -21,7 +21,8 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
     <!-- upstreamUrl added in 1.284, so handle missing value -->
-    <span>${it.upstreamUrl!=null ? "%started_by_project(it.upstreamProject,it.upstreamBuild.toString(),it.upstreamUrl,rootURL)" : it.shortDescription}</span>
+    <span><j:out value='${it.upstreamUrl!=null ? "%started_by_project(it.upstreamProject,it.upstreamBuild.toString(),it.upstreamUrl,rootURL)" : it.shortDescription}' /></span>
 </j:jelly>
diff --git a/core/src/main/resources/hudson/model/Cause/UserCause/description.jelly b/core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
@@ -21,6 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-    <span>${%started_by_user(it.userName,rootURL)}</span>
+    <span><j:out value="${%started_by_user(it.userName,rootURL)}" /></span>
 </j:jelly>
diff --git a/core/src/main/resources/hudson/model/Hudson/_cli.jelly b/core/src/main/resources/hudson/model/Hudson/_cli.jelly
@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
-
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
   <l:layout norefresh="true">
     <st:include page="sidepanel.jelly" />
@@ -31,7 +31,7 @@ THE SOFTWARE.
         ${%Jenkins CLI}
       </h1>
       <p>
-        ${%blurb(rootURL)}
+        <j:out value="${%blurb(rootURL)}" />
       </p>
       <pre style="color: white; background-color:black; padding:1em; font-weight: bold">java -jar <a
               style="color: white"

diff --git a/core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly b/core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
@@ -25,6 +25,7 @@ THE SOFTWARE.
 <!--
   New View page
 -->
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <l:layout norefresh="true" title="${%Check File Fingerprint}">
     <st:include page="sidepanel.jelly" />
@@ -36,7 +37,7 @@ THE SOFTWARE.
       <f:form method="post" action="doFingerprintCheck" enctype="multipart/form-data">
         <f:block>
           <div style="margin-bottom: 1em;">
-          ${%description} (<a href="${%fingerprint.link}">${%more details}</a>)
+          <j:out value="${%description}"/> (<a href="${%fingerprint.link}">${%more details}</a>)
           </div>
         </f:block>
         <f:entry title="${%File to check}">

diff --git a/core/src/main/resources/hudson/model/LoadStatistics/main.jelly b/core/src/main/resources/hudson/model/LoadStatistics/main.jelly
@@ -23,6 +23,7 @@ THE SOFTWARE.
 -->
 
 <!-- renders an HTML fragment that shows trend graph -->
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
   <h1>
     <img src="${imagesURL}/48x48/monitor.gif" alt="" height="48" width="48"/>
@@ -60,6 +61,6 @@ THE SOFTWARE.
   </div>  
   <img src="${prefix?:'loadStatistics'}/graph?type=${type}&amp;width=500&amp;height=300" alt="[${%Load statistics graph}]" />
   <div style="margin-top: 2em;">
-    ${%blurb}
+    <j:core value="${%blurb}" />
   </div>
 </j:jelly>
diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
@@ -21,13 +21,13 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
-
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <l:layout permission="${app.ADMINISTER}" title="${%Users}">
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
       <h1>${%Users}</h1>
-      <p>${%blurb}</p>
+      <p><j:out value="${%blurb}" /></p>
 
       <table class="sortable pane bigtable" id="people">
         <tr>

diff --git a/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly b/core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
-
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <l:layout norefresh="true">
     <l:hasPermission permission="${app.READ}" it="${app}">
@@ -30,7 +30,7 @@ THE SOFTWARE.
     <l:main-panel>
       <h1>${%Success}</h1>
       <div>
-        ${%description}
+        <j:out value="${%description}" />
       </div>
     </l:main-panel>
   </l:layout>

diff --git a/core/src/main/resources/lib/hudson/scriptConsole.jelly b/core/src/main/resources/lib/hudson/scriptConsole.jelly
@@ -25,6 +25,7 @@ THE SOFTWARE.
 <!--
   Called from doScript() to display the execution result and the form.
 -->
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <l:layout norefresh="true">
     <st:include page="sidepanel.jelly" />
@@ -33,7 +34,7 @@ THE SOFTWARE.
       <h1>${%Script Console}</h1>
 
       <p>
-        ${%description}
+        <j:out value="${%description}" />
       </p>
       <!-- this is where the example goes -->
       <d:invokeBody />