[JENKINS-36521] Print raw (not HTML escaped) commit messages

Commit decorators add clicable <a> links to issue IDs on build summary page, but the security mechanism preventing XSS in .jelly, escapes the HTML tags for .jelly files with: <?jelly escape-by-default='true'?> After the change, annotated commit messages are printed raw, without HTML escaping. Used method will be consistent with change in hudson/scm/SCM/project-changes.jelly introduced in jenkinsci/jenkins@41ab84f Additional details: https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention https://issues.jenkins-ci.org/browse/JENKINS-5135
jenkinsci · Nov 5, 2016 · 4fe42be · 4fe42be
1 parent de82ef7
commit 4fe42be
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/main/resources/hudson/scm/SubversionChangeLogSet/digest.jelly b/src/main/resources/hudson/scm/SubversionChangeLogSet/digest.jelly
@@ -60,7 +60,7 @@ THE SOFTWARE.
       <ol>
         <j:forEach var="cs" items="${it.logs}" varStatus="loop">
           <li>
-            ${cs.msgAnnotated}
+            <j:out value="${cs.msgAnnotated}"/>
             (<a href="${changesBaseUrl}changes#detail${loop.index}">${%detail}</a>
 
             <j:set var="cslink" value="${browser.getChangeSetLink(cs)}"/>

diff --git a/src/main/resources/hudson/scm/SubversionChangeLogSet/index.jelly b/src/main/resources/hudson/scm/SubversionChangeLogSet/index.jelly
@@ -44,7 +44,7 @@ THE SOFTWARE.
               <a href="${browser.getChangeSetLink(cs)}">${cs.revision}</a>
               by <a href="${rootURL}/${cs.author.url}/">${cs.author}</a>:
             </b><br/>
-            ${cs.msgAnnotated}
+            <j:out value="${cs.msgAnnotated}"/>
           </div>
         </td>
       </tr>