Escape values when rendering to the page.

tcplugins · Apr 27, 2019 · 2675215 · 2675215
1 parent 470b215
commit 2675215
Show file tree

Hide file tree

Showing 13 changed files with 83 additions and 74 deletions.
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp
@@ -42,9 +42,9 @@
 	        <c:forEach items="${history}" var="historyItem">
 	        		<tr>
 					<td>${historyItem.webHookExecutionStats.initTimeStamp}</td>
-					<td>${historyItem.webHookExecutionStats.url}</td>
+					<td><c:out value="${historyItem.webHookExecutionStats.url}"/></td>
 					<td><c:out value="${historyItem.webHookExecutionStats.buildState.shortDescription}">undefined</c:out></td>
-					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: ${historyItem.webHookExecutionStats.statusReason}</td>
+					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: <c:out value="${historyItem.webHookExecutionStats.statusReason}"/></td>
 	   				</tr>
 
 	        </c:forEach>

diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp
@@ -33,10 +33,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -68,7 +68,7 @@
 			  		<table>
 			  		<tr><th colspan="2">HTTP Headers sent with this request</th><tr>
 			  		<c:forEach items="${item.headers}" var="headerThing">
-			  			<tr><td>${headerThing.key}:</td><td>${headerThing.value}</td></tr>
+			  			<tr><td><c:out value="${headerThing.key}"/>:</td><td><c:out value="${headerThing.value}"/></td></tr>
 			  		</c:forEach>
 			  		</table>
 			  	</div>

diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp
@@ -32,10 +32,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -51,7 +51,6 @@
     </c:if>
 	<script type=text/javascript src="..${jspHome}WebHook/js/jquery.easytabs.min.js"></script>
 	<script type=text/javascript src="..${jspHome}WebHook/js/jquery.color.js"></script>
-	<script type=text/javascript src="..${jspHome}WebHook//js/moment-2.22.2.min.js"></script>
     <script type=text/javascript>
 		var jQueryWebhook = jQuery.noConflict();
 		var webhookDialogWidth = -1;
@@ -631,11 +630,11 @@
 
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-			    <h2 class="noBorder">WebHooks applicable to build ${buildName}</h2>
-			    To edit all webhooks for builds in the project <a href="index.html?projectId=${projectExternalId}">edit Project webhooks</a>.
+			    <h2 class="noBorder">WebHooks applicable to build <c:out value="${buildName}"/></h2>
+			    To edit all webhooks for builds in the project <a href="index.html?projectId=<c:out value="${projectExternalId}"/>">edit Project webhooks</a>.
          	</c:when>  
          	<c:otherwise>  
-			    <h2 class="noBorder">WebHooks configured for project ${projectName}</h2>
+			    <h2 class="noBorder">WebHooks configured for project <c:out value="${projectName}"/></h2>
          	</c:otherwise>  
 		</c:choose>  
 
@@ -710,10 +709,10 @@
 	        $('systemParams').updateContainer = function() {
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-	          	jQueryWebhook.get("settingsList.html?buildTypeId=${buildExternalId}", function(data) {
+	          	jQueryWebhook.get("settingsList.html?buildTypeId=<c:out value="${buildExternalId}"/>", function(data) {
          	</c:when>  
          	<c:otherwise>  
-	          	jQueryWebhook.get("settingsList.html?projectId=${projectId}", function(data) {
+	          	jQueryWebhook.get("settingsList.html?projectId=<c:out value="${projectId}"/>", function(data) {
          	</c:otherwise>  
 		</c:choose>  	        
 	          		ProjectBuilds = data;

diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js
@@ -290,11 +290,11 @@ WebHooksPlugin = {
 							var ul = $j('<ul>');
 
 							if (response.error) {
-								ul.append($j('<li/>').html("Error: " + response.error.message + " (" + response.error.errorCode + ")"));
+								ul.append($j('<li/>').html("Error: " + htmlEscape(response.error.message) + " (" + response.error.errorCode + ")"));
 							} else {
-								ul.append($j('<li/>').html("Success: " + response.statusReason + " (" + response.statusCode + ")"));
+								ul.append($j('<li/>').html("Success: " + htmlEscape(response.statusReason) + " (" + response.statusCode + ")"));
 							}
-							ul.append($j('<li/>').html("URL: " + response.url));
+							ul.append($j('<li/>').html("URL: " + htmlEscape(response.url)));
 							ul.append($j('<li/>').html("Duration: " + response.executionTime + " @ " + moment(response.dateTime, moment.ISO_8601).format("dddd, MMMM Do YYYY, h:mm:ss a")));
 
 							$j("#webhookDialogAjaxResult").empty().append(ul.html());
@@ -342,7 +342,7 @@ function populateBuildHistoryAjax(locator) {
 				myselect.append( $j('<option></option>').val(null).html("Choose a Build...") );
 				$j(response.build).each(function(index, build) {
 					//console.log(build);
-					var desc = build.buildType.name 
+					var desc = htmlEscape(build.buildType.name) 
 							  + "#" + build.number 
 							  + " - " + build.status + " ("
 							  + moment(build.finishDate, moment.ISO_8601).fromNow()
@@ -537,10 +537,12 @@ function populateWebHookDialog(id){
 
 			$j('#buildTypeSubProjects').prop('checked', webhook.subProjectsEnabled);
 			$j.each(webhook.builds, function(){
+				var thing = $j(this.buildTypeName).text();
+				console.log(thing);
 				 if (this.enabled){
-			 	 	$j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input checked onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + this.buildTypeName + '</label></p>');
+			 	 	$j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input checked onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + htmlEscape(this.buildTypeName) + '</label></p>');
 				 } else {
-				 	 $j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + this.buildTypeName + '</label></p>');
+				 	 $j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + htmlEscape(this.buildTypeName) + '</label></p>');
 				 }
 			});
 
@@ -549,7 +551,7 @@ function populateWebHookDialog(id){
 				populateWebHookAuthExtrasPaneFromChange(webhook);
 			});
 			if ($j('#payloadFormatHolder').val()) {
-				$j('#currentTemplateName').html(lookupTemplateName($j('#payloadFormatHolder').val()));
+				$j('#currentTemplateName').html(htmlEscape(lookupTemplateName($j('#payloadFormatHolder').val())));
 			} else {
 				$j('#currentTemplateName').html("&nbsp;");
 			}
@@ -652,9 +654,9 @@ function addWebHooksFromJsonCallback(){
 
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemUrl").html(htmlEscape(webhook.url)).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey, '#hookPane');});
 			if (webhook.payloadTemplate === 'none') {
-				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html(webhook.payloadFormatForWeb);
+				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html(htmlEscape(webhook.payloadFormatForWeb));
 			} else {
-				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html("<a href='template.html?template=" + webhook.payloadTemplate +"'>" + webhook.payloadFormatForWeb + "</a>");
+				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html("<a href='template.html?template=" + webhook.payloadTemplate +"'>" + htmlEscape(webhook.payloadFormatForWeb) + "</a>");
 			}
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemEvents").html(webhook.enabledEventsListForWeb).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey,'#hookPane');});
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemBuilds").html(webhook.enabledBuildsListForWeb).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey, '#buildPane');});

diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js
@@ -312,7 +312,7 @@ WebHooksPlugin = {
 			});
 		}, 
 		handleGetSuccess: function (action) {
-			$j("#templateHeading").html(myJson.parentTemplate.description);
+			$j("#templateHeading").html(htmlEscape(myJson.parentTemplate.description));
 			// If we have the pluralised name, pass the reference to a singular form.
 			// This works around Jackson 2.x using singular names, and Jackson 1.x using plural.
 			if (typeof myJson.parentTemplate.templateItems !== 'undefined' 
@@ -379,7 +379,7 @@ WebHooksPlugin = {
 			});
 		}, 
 		handlePutSuccess: function () {
-			$j("#templateHeading").html(myJson.parentTemplateDescription);
+			$j("#templateHeading").html(htmlEscape(myJson.parentTemplateDescription));
 			this.updateCheckboxes();
 			this.updateEditor();
 		},
@@ -479,7 +479,7 @@ WebHooksPlugin = {
 						if (project.id === '_Root') { 
 							myselect.append( $j('<option></option>').val(project.id).html(project.id) );
 						} else {
-							myselect.append( $j('<option></option>').val(project.id).html(project.name) );
+							myselect.append( $j('<option></option>').val(project.id).html(htmlEscape(project.name)) );
 						}
 					});
 					$j("#previewTemplateItemDialogProjectSelect").empty().append(myselect.html()).off().change(
@@ -520,7 +520,7 @@ WebHooksPlugin = {
     				myselect.append( $j('<option></option>').val(null).html("Choose a Build...") );
     				$j(response.build).each(function(index, build) {
     					//console.log(build);
-    					var desc = build.buildType.name 
+    					var desc = htmlEscape(build.buildType.name) 
     							  + "#" + build.number 
     							  + " - " + build.status + " ("
     							  + moment(build.finishDate, moment.ISO_8601).fromNow()
@@ -602,7 +602,7 @@ WebHooksPlugin = {
 	    							  + webhook.format + " :: " + webhook.template
 	    							  + ")";
 
-							myselect.append( $j('<option></option>').val(webhook.id).html(desc) );
+							myselect.append( $j('<option></option>').val(webhook.id).html(htmlEscape(desc)) );
 	    				});
 	    				$j("#previewTemplateItemDialogWebHookSelect").empty().append(myselect.html()).off().change(
 								function() {
@@ -726,11 +726,11 @@ WebHooksPlugin = {
 					var ul = $j('<ul>');
 
 					if (response.error) {
-						ul.append($j('<li/>').html("Error: " + response.error.message + " (" + response.error.errorCode + ")"));
+						ul.append($j('<li/>').html("Error: " + htmlEscape(response.error.message) + " (" + response.error.errorCode + ")"));
 					} else {
-						ul.append($j('<li/>').html("Success: " + response.statusReason + " (" + response.statusCode + ")"));
+						ul.append($j('<li/>').html("Success: " + htmlEscape(response.statusReason) + " (" + response.statusCode + ")"));
 					}
-					ul.append($j('<li/>').html("URL: " + response.url));
+					ul.append($j('<li/>').html("URL: " + htmlEscape(response.url)));
 					ul.append($j('<li/>').html("Duration: " + response.executionTime + " @ " + moment(response.dateTime, moment.ISO_8601).format("dddd, MMMM Do YYYY, h:mm:ss a")));
 
 					$j("#previewTempleteItemDialogAjaxResult").empty().append(ul.html());
@@ -1084,3 +1084,12 @@ WebHooksPlugin = {
     	}
     }))
 };
+
+function htmlEscape(str) {
+	return String(str)
+    .replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp
@@ -116,22 +116,22 @@
           <th style="width:10%;" title="Determines Template ordering in the WebHook UI (smallest number first)">Rank:</th><td style="width:10%; border:none;">${webhookTemplateBean.rank}</td>
           <c:choose>
 		  	<c:when test="${not empty webhookTemplateBean.dateFormat}">
-          	<th style="width:15%;" title="Used used as the default date format when now,currentTime,buildStartTime,buildFinishTime, is used in a template. Use a SimpleDateFormat compatible string.">Date Format:</th><td style="border:none;">${webhookTemplateBean.dateFormat}</td>
+          	<th style="width:15%;" title="Used as the default date format when now,currentTime,buildStartTime,buildFinishTime, is used in a template. Use a SimpleDateFormat compatible string.">Date Format:</th><td style="border:none;"><c:out value="${webhookTemplateBean.dateFormat}"/></td>
           	</c:when>
           	<c:otherwise>
           	<th style="width:15%;">Date Format:</th><td style="border:none;"><i>none</i></td>
           	</c:otherwise>
           </c:choose>
         </tr>
         <tr>
-          <th style="width:15%;" title="Shown in the WebHook UI when choosing a Payload">Template Description:</th><td style="width:35%;">${webhookTemplateBean.templateDescription}</td>
+          <th style="width:15%;" title="Shown in the WebHook UI when choosing a Payload">Template Description:</th><td style="width:35%;"><c:out value="${webhookTemplateBean.templateDescription}"/></td>
           <th style="width:15%;">Payload Format:</th><td style="width:35%;" colspan=3>${webhookTemplateBean.payloadFormat}</td>
         </tr>
         <tr>
           <th style="width:15%;" title="Used in the UI to show extra information about a Template">Tooltip Text:</th>
           <c:choose>
 		  	<c:when test="${not empty webhookTemplateBean.toolTipText}">
-	          <td style="width:85%;" colspan="5">${webhookTemplateBean.toolTipText}</td>
+	          <td style="width:85%;" colspan="5"><c:out value="${webhookTemplateBean.toolTipText}"/></td>
           	</c:when>
           	<c:otherwise>
 	          <td style="width:85%;" colspan="5"><i>none</i></td>