From 2675215f3e641e90e3fc1f7a284397b62f86f4c3 Mon Sep 17 00:00:00 2001
From: Net Wolf UK <netwolfuk@gmail.com>
Date: Sun, 28 Apr 2019 10:14:45 +1200
Subject: [PATCH] Escape values when rendering to the page.

---
 .../buildServerResources/WebHook/adminTab.jsp |  4 +--
 .../WebHook/endpointRequests.jsp              |  6 ++---
 .../buildServerResources/WebHook/index.jsp    | 15 ++++++-----
 .../WebHook/js/editWebhook.js                 | 20 ++++++++-------
 .../WebHook/js/editWebhookTemplate.js         | 25 +++++++++++++------
 .../WebHook/templateEdit.jsp                  |  6 ++---
 .../templateEditListBuildEventTemplates.jsp   | 12 ++++-----
 .../WebHook/viewHistory.jsp                   | 14 +++++------
 .../WebHook/webHookInclude.jsp                |  5 ++--
 .../WebHook/webHookProjectSettingsTab.jsp     |  4 +--
 .../WebHook/webHookTab.jsp                    | 10 ++++----
 .../WebHook/webHookTabWithHistory.jsp         | 22 ++++++++--------
 .../WebHook/webhookEdit.jsp                   | 14 +++++------
 13 files changed, 83 insertions(+), 74 deletions(-)

diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp
index 7763fdc8..5afbff0d 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/adminTab.jsp
@@ -42,9 +42,9 @@
 	        <c:forEach items="${history}" var="historyItem">
 	        		<tr>
 					<td>${historyItem.webHookExecutionStats.initTimeStamp}</td>
-					<td>${historyItem.webHookExecutionStats.url}</td>
+					<td><c:out value="${historyItem.webHookExecutionStats.url}"/></td>
 					<td><c:out value="${historyItem.webHookExecutionStats.buildState.shortDescription}">undefined</c:out></td>
-					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: ${historyItem.webHookExecutionStats.statusReason}</td>
+					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: <c:out value="${historyItem.webHookExecutionStats.statusReason}"/></td>
 	   				</tr>
 	        	
 	        </c:forEach>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp
index af227497..d99cbdf0 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/endpointRequests.jsp
@@ -33,10 +33,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -68,7 +68,7 @@
 			  		<table>
 			  		<tr><th colspan="2">HTTP Headers sent with this request</th><tr>
 			  		<c:forEach items="${item.headers}" var="headerThing">
-			  			<tr><td>${headerThing.key}:</td><td>${headerThing.value}</td></tr>
+			  			<tr><td><c:out value="${headerThing.key}"/>:</td><td><c:out value="${headerThing.value}"/></td></tr>
 			  		</c:forEach>
 			  		</table>
 			  	</div>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp
index 3faf37e5..fc367f09 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/index.jsp
@@ -32,10 +32,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -51,7 +51,6 @@
     </c:if>
 	<script type=text/javascript src="..${jspHome}WebHook/js/jquery.easytabs.min.js"></script>
 	<script type=text/javascript src="..${jspHome}WebHook/js/jquery.color.js"></script>
-	<script type=text/javascript src="..${jspHome}WebHook//js/moment-2.22.2.min.js"></script>
     <script type=text/javascript>
 		var jQueryWebhook = jQuery.noConflict();
 		var webhookDialogWidth = -1;
@@ -631,11 +630,11 @@
     
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-			    <h2 class="noBorder">WebHooks applicable to build ${buildName}</h2>
-			    To edit all webhooks for builds in the project <a href="index.html?projectId=${projectExternalId}">edit Project webhooks</a>.
+			    <h2 class="noBorder">WebHooks applicable to build <c:out value="${buildName}"/></h2>
+			    To edit all webhooks for builds in the project <a href="index.html?projectId=<c:out value="${projectExternalId}"/>">edit Project webhooks</a>.
          	</c:when>  
          	<c:otherwise>  
-			    <h2 class="noBorder">WebHooks configured for project ${projectName}</h2>
+			    <h2 class="noBorder">WebHooks configured for project <c:out value="${projectName}"/></h2>
          	</c:otherwise>  
 		</c:choose>  
 
@@ -710,10 +709,10 @@
 	        $('systemParams').updateContainer = function() {
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-	          	jQueryWebhook.get("settingsList.html?buildTypeId=${buildExternalId}", function(data) {
+	          	jQueryWebhook.get("settingsList.html?buildTypeId=<c:out value="${buildExternalId}"/>", function(data) {
          	</c:when>  
          	<c:otherwise>  
-	          	jQueryWebhook.get("settingsList.html?projectId=${projectId}", function(data) {
+	          	jQueryWebhook.get("settingsList.html?projectId=<c:out value="${projectId}"/>", function(data) {
          	</c:otherwise>  
 		</c:choose>  	        
 	          		ProjectBuilds = data;
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js
index 85fbf211..e966478e 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhook.js
@@ -290,11 +290,11 @@ WebHooksPlugin = {
 							var ul = $j('<ul>');
 							
 							if (response.error) {
-								ul.append($j('<li/>').html("Error: " + response.error.message + " (" + response.error.errorCode + ")"));
+								ul.append($j('<li/>').html("Error: " + htmlEscape(response.error.message) + " (" + response.error.errorCode + ")"));
 							} else {
-								ul.append($j('<li/>').html("Success: " + response.statusReason + " (" + response.statusCode + ")"));
+								ul.append($j('<li/>').html("Success: " + htmlEscape(response.statusReason) + " (" + response.statusCode + ")"));
 							}
-							ul.append($j('<li/>').html("URL: " + response.url));
+							ul.append($j('<li/>').html("URL: " + htmlEscape(response.url)));
 							ul.append($j('<li/>').html("Duration: " + response.executionTime + " @ " + moment(response.dateTime, moment.ISO_8601).format("dddd, MMMM Do YYYY, h:mm:ss a")));
 							
 							$j("#webhookDialogAjaxResult").empty().append(ul.html());
@@ -342,7 +342,7 @@ function populateBuildHistoryAjax(locator) {
 				myselect.append( $j('<option></option>').val(null).html("Choose a Build...") );
 				$j(response.build).each(function(index, build) {
 					//console.log(build);
-					var desc = build.buildType.name 
+					var desc = htmlEscape(build.buildType.name) 
 							  + "#" + build.number 
 							  + " - " + build.status + " ("
 							  + moment(build.finishDate, moment.ISO_8601).fromNow()
@@ -537,10 +537,12 @@ function populateWebHookDialog(id){
 			
 			$j('#buildTypeSubProjects').prop('checked', webhook.subProjectsEnabled);
 			$j.each(webhook.builds, function(){
+				var thing = $j(this.buildTypeName).text();
+				console.log(thing);
 				 if (this.enabled){
-			 	 	$j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input checked onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + this.buildTypeName + '</label></p>');
+			 	 	$j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input checked onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + htmlEscape(this.buildTypeName) + '</label></p>');
 				 } else {
-				 	 $j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + this.buildTypeName + '</label></p>');
+				 	 $j('#buildList').append('<p style="border-bottom:solid 1px #cccccc; margin:0; padding:0.5em;"><label><input onclick="updateSelectedBuildTypes();" type=checkbox style="padding-right: 1em;" name="buildTypeId" value="' + this.buildTypeId + '"class="buildType_single">' + htmlEscape(this.buildTypeName) + '</label></p>');
 				 }
 			});
 			
@@ -549,7 +551,7 @@ function populateWebHookDialog(id){
 				populateWebHookAuthExtrasPaneFromChange(webhook);
 			});
 			if ($j('#payloadFormatHolder').val()) {
-				$j('#currentTemplateName').html(lookupTemplateName($j('#payloadFormatHolder').val()));
+				$j('#currentTemplateName').html(htmlEscape(lookupTemplateName($j('#payloadFormatHolder').val())));
 			} else {
 				$j('#currentTemplateName').html("&nbsp;");
 			}
@@ -652,9 +654,9 @@ function addWebHooksFromJsonCallback(){
 			
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemUrl").html(htmlEscape(webhook.url)).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey, '#hookPane');});
 			if (webhook.payloadTemplate === 'none') {
-				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html(webhook.payloadFormatForWeb);
+				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html(htmlEscape(webhook.payloadFormatForWeb));
 			} else {
-				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html("<a href='template.html?template=" + webhook.payloadTemplate +"'>" + webhook.payloadFormatForWeb + "</a>");
+				$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemFormat").html("<a href='template.html?template=" + webhook.payloadTemplate +"'>" + htmlEscape(webhook.payloadFormatForWeb) + "</a>");
 			}
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemEvents").html(webhook.enabledEventsListForWeb).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey,'#hookPane');});
 			$j("#viewRow_" + webhook.uniqueKey + " > td.webHookRowItemBuilds").html(webhook.enabledBuildsListForWeb).click(function(){WebHooksPlugin.showEditDialog(webhook.uniqueKey, '#buildPane');});
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js
index a5082336..e332b69f 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/js/editWebhookTemplate.js
@@ -312,7 +312,7 @@ WebHooksPlugin = {
 			});
 		}, 
 		handleGetSuccess: function (action) {
-			$j("#templateHeading").html(myJson.parentTemplate.description);
+			$j("#templateHeading").html(htmlEscape(myJson.parentTemplate.description));
 			// If we have the pluralised name, pass the reference to a singular form.
 			// This works around Jackson 2.x using singular names, and Jackson 1.x using plural.
 			if (typeof myJson.parentTemplate.templateItems !== 'undefined' 
@@ -379,7 +379,7 @@ WebHooksPlugin = {
 			});
 		}, 
 		handlePutSuccess: function () {
-			$j("#templateHeading").html(myJson.parentTemplateDescription);
+			$j("#templateHeading").html(htmlEscape(myJson.parentTemplateDescription));
 			this.updateCheckboxes();
 			this.updateEditor();
 		},
@@ -479,7 +479,7 @@ WebHooksPlugin = {
 						if (project.id === '_Root') { 
 							myselect.append( $j('<option></option>').val(project.id).html(project.id) );
 						} else {
-							myselect.append( $j('<option></option>').val(project.id).html(project.name) );
+							myselect.append( $j('<option></option>').val(project.id).html(htmlEscape(project.name)) );
 						}
 					});
 					$j("#previewTemplateItemDialogProjectSelect").empty().append(myselect.html()).off().change(
@@ -520,7 +520,7 @@ WebHooksPlugin = {
     				myselect.append( $j('<option></option>').val(null).html("Choose a Build...") );
     				$j(response.build).each(function(index, build) {
     					//console.log(build);
-    					var desc = build.buildType.name 
+    					var desc = htmlEscape(build.buildType.name) 
     							  + "#" + build.number 
     							  + " - " + build.status + " ("
     							  + moment(build.finishDate, moment.ISO_8601).fromNow()
@@ -602,7 +602,7 @@ WebHooksPlugin = {
 	    							  + webhook.format + " :: " + webhook.template
 	    							  + ")";
 	    					
-							myselect.append( $j('<option></option>').val(webhook.id).html(desc) );
+							myselect.append( $j('<option></option>').val(webhook.id).html(htmlEscape(desc)) );
 	    				});
 	    				$j("#previewTemplateItemDialogWebHookSelect").empty().append(myselect.html()).off().change(
 								function() {
@@ -726,11 +726,11 @@ WebHooksPlugin = {
 					var ul = $j('<ul>');
 					
 					if (response.error) {
-						ul.append($j('<li/>').html("Error: " + response.error.message + " (" + response.error.errorCode + ")"));
+						ul.append($j('<li/>').html("Error: " + htmlEscape(response.error.message) + " (" + response.error.errorCode + ")"));
 					} else {
-						ul.append($j('<li/>').html("Success: " + response.statusReason + " (" + response.statusCode + ")"));
+						ul.append($j('<li/>').html("Success: " + htmlEscape(response.statusReason) + " (" + response.statusCode + ")"));
 					}
-					ul.append($j('<li/>').html("URL: " + response.url));
+					ul.append($j('<li/>').html("URL: " + htmlEscape(response.url)));
 					ul.append($j('<li/>').html("Duration: " + response.executionTime + " @ " + moment(response.dateTime, moment.ISO_8601).format("dddd, MMMM Do YYYY, h:mm:ss a")));
 					
 					$j("#previewTempleteItemDialogAjaxResult").empty().append(ul.html());
@@ -1084,3 +1084,12 @@ WebHooksPlugin = {
     	}
     }))
 };
+
+function htmlEscape(str) {
+	return String(str)
+    .replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp
index a8fbe9ec..02192d7f 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEdit.jsp
@@ -116,7 +116,7 @@
           <th style="width:10%;" title="Determines Template ordering in the WebHook UI (smallest number first)">Rank:</th><td style="width:10%; border:none;">${webhookTemplateBean.rank}</td>
           <c:choose>
 		  	<c:when test="${not empty webhookTemplateBean.dateFormat}">
-          	<th style="width:15%;" title="Used used as the default date format when now,currentTime,buildStartTime,buildFinishTime, is used in a template. Use a SimpleDateFormat compatible string.">Date Format:</th><td style="border:none;">${webhookTemplateBean.dateFormat}</td>
+          	<th style="width:15%;" title="Used as the default date format when now,currentTime,buildStartTime,buildFinishTime, is used in a template. Use a SimpleDateFormat compatible string.">Date Format:</th><td style="border:none;"><c:out value="${webhookTemplateBean.dateFormat}"/></td>
           	</c:when>
           	<c:otherwise>
           	<th style="width:15%;">Date Format:</th><td style="border:none;"><i>none</i></td>
@@ -124,14 +124,14 @@
           </c:choose>
         </tr>
         <tr>
-          <th style="width:15%;" title="Shown in the WebHook UI when choosing a Payload">Template Description:</th><td style="width:35%;">${webhookTemplateBean.templateDescription}</td>
+          <th style="width:15%;" title="Shown in the WebHook UI when choosing a Payload">Template Description:</th><td style="width:35%;"><c:out value="${webhookTemplateBean.templateDescription}"/></td>
           <th style="width:15%;">Payload Format:</th><td style="width:35%;" colspan=3>${webhookTemplateBean.payloadFormat}</td>
         </tr>
         <tr>
           <th style="width:15%;" title="Used in the UI to show extra information about a Template">Tooltip Text:</th>
           <c:choose>
 		  	<c:when test="${not empty webhookTemplateBean.toolTipText}">
-	          <td style="width:85%;" colspan="5">${webhookTemplateBean.toolTipText}</td>
+	          <td style="width:85%;" colspan="5"><c:out value="${webhookTemplateBean.toolTipText}"/></td>
           	</c:when>
           	<c:otherwise>
 	          <td style="width:85%;" colspan="5"><i>none</i></td>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEditListBuildEventTemplates.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEditListBuildEventTemplates.jsp
index ed3706f9..d07bf65a 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEditListBuildEventTemplates.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/templateEditListBuildEventTemplates.jsp
@@ -19,8 +19,8 @@
 	      		The default template is defined, but no build events will use it. All events are associated with a Build Event Template defined below.
 	      	</td>
 		      			<%-- <td class="buildTemplateAction"><a class="viewBuildEventTemplate" href="#" onclick="WebHooksData.getWebHookTemplateData({ id: '${filter.id}', build: '${buildTypeId}', regex: '${filter.regex}', dist:'${filter.dist}', component:'${filter.component}' }); return false">view</a></td> --%>
-		      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate', regex: '${filter.regex}', dist:'${filter.dist}', component:'${filter.component}' }); return false">edit</a></td>
-		      			<td class="buildTemplateAction"><a class="copyBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate', dist:'${filter.dist}', component:'${filter.component}' }); return false">copy</a></td>
+		      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">edit</a></td>
+		      			<td class="buildTemplateAction"><a class="copyBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">copy</a></td>
 		      			<td class="buildTemplateAction"><a class="deleteBuildEventTemplate" href="#" onclick="WebHooksPlugin.deleteBuildEventTemplate({ templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">delete</a></td>
 	      	</tr>     
 		  </c:when>
@@ -31,8 +31,8 @@
 		      	</c:forEach>
 		      	</ul></td>
 		      			<%-- <td class="buildTemplateAction"><a class="viewBuildEventTemplate" href="#" onclick="WebHooksData.getWebHookTemplateData({ id: '${filter.id}', build: '${buildTypeId}', regex: '${filter.regex}', dist:'${filter.dist}', component:'${filter.component}' }); return false">view</a></td> --%>
-		      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate', regex: '${filter.regex}', dist:'${filter.dist}', component:'${filter.component}' }); return false">edit</a></td>
-		      			<td class="buildTemplateAction"><a class="copyDBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate', dist:'${filter.dist}', component:'${filter.component}' }); return false">copy</a></td>
+		      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">edit</a></td>
+		      			<td class="buildTemplateAction"><a class="copyDBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">copy</a></td>
 		      			<td class="buildTemplateAction"><a class="deleteBuildEventTemplate" href="#" onclick="WebHooksPlugin.deleteBuildEventTemplate({ templateId: '${webhookTemplateBean.templateId}', templateNumber: 'defaultTemplate' }); return false">delete</a></td>
 	      	</tr>   		  
 	      </c:otherwise>
@@ -57,8 +57,8 @@
 	      	</c:forEach>
 	      	</ul></td>
 	      			<%-- <td class="buildTemplateAction"><a class="viewBuildEventTemplate" href="#" onclick="WebHooksData.getWebHookTemplateData('${webhookTemplateBean.templateId}', '${buildEventTemplate.webHookTemplateItem.id}'); return false">view</a></td> --%>
-	      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'id:${buildEventTemplate.webHookTemplateItem.id}', regex: '${filter.regex}', dist:'${filter.dist}', component:'${filter.component}' }); return false">edit</a></td>
-	      			<td class="buildTemplateAction"><a class="copyBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'id:${buildEventTemplate.webHookTemplateItem.id}', dist:'${filter.dist}', component:'${filter.component}' }); return false">copy</a></td>
+	      			<td class="buildTemplateAction"><a class="editBuildEventTemplate" href="#" onclick="WebHooksPlugin.editBuildEventTemplate({ id: '${filter.id}', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'id:${buildEventTemplate.webHookTemplateItem.id}' }); return false">edit</a></td>
+	      			<td class="buildTemplateAction"><a class="copyBuildEventTemplate" href="#" onclick="WebHooksPlugin.copyBuildEventTemplate({ id: '_copy', templateId: '${webhookTemplateBean.templateId}', templateNumber: 'id:${buildEventTemplate.webHookTemplateItem.id}' }); return false">copy</a></td>
 	      			<td class="buildTemplateAction"><a class="deleteBuildEventTemplate" href="#" onclick="WebHooksPlugin.deleteBuildEventTemplate({ templateId: '${webhookTemplateBean.templateId}', templateNumber: 'id:${buildEventTemplate.webHookTemplateItem.id}' }); return false">delete</a></td>
       	</tr>     
       </c:forEach>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/viewHistory.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/viewHistory.jsp
index 04782c4a..983eee62 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/viewHistory.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/viewHistory.jsp
@@ -37,10 +37,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -93,22 +93,22 @@
 	        		<tr>
 					<td>${historyItem.webHookExecutionStats.initTimeStamp}</td>
 					<c:if test="${not empty historyItem.buildId}">
-					    <td><a href="../viewLog.html?buildId=${historyItem.buildId}">${historyItem.buildTypeName} #${historyItem.buildId}</a></td>
+					    <td><a href="../viewLog.html?buildId=${historyItem.buildId}"><c:out value="${historyItem.buildTypeName}"/> #${historyItem.buildId}</a></td>
 					</c:if>
 					<c:if test="${empty historyItem.buildId}">
-					    <td><a href="../viewType.html?buildTypeId=${historyItem.buildTypeExternalId}">${historyItem.buildTypeName}</a></td>
+					    <td><a href="../viewType.html?buildTypeId=<c:out value="${historyItem.buildTypeExternalId}"/>"><c:out value="${historyItem.buildTypeName}"/></a></td>
 					</c:if>
 					
 					<c:if test="${afn:permissionGrantedForProjectWithId(historyItem.webHookConfig.projectInternalId, 'EDIT_PROJECT')}">
-						<td><span title="Webhook from project '${historyItem.webHookConfig.projectExternalId}'">${historyItem.webHookExecutionStats.url}</span></td>
+						<td><span title="Webhook from project '<c:out value="${historyItem.webHookConfig.projectExternalId}"/>'"><c:out value="${historyItem.webHookExecutionStats.url}"/></span></td>
 					</c:if>
 					
 					<c:if test="${not afn:permissionGrantedForProjectWithId(historyItem.webHookConfig.projectInternalId, 'EDIT_PROJECT')}">
-						<td><span title="You do not have permission to see the full URL for this webhook (no 'EDIT_PROJECT' permission on '${historyItem.webHookConfig.projectExternalId}')">** ${historyItem.url}</span></td>
+						<td><span title="You do not have permission to see the full URL for this webhook (no 'EDIT_PROJECT' permission on '<c:out value="${historyItem.webHookConfig.projectExternalId}"/>')">** <c:out value="${historyItem.url}"/></span></td>
 					</c:if>
 					
 					<td><c:out value="${historyItem.webHookExecutionStats.buildState.shortDescription}${historyItem.test}">undefined</c:out></td>
-					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: ${historyItem.webHookExecutionStats.statusReason}</td>
+					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: <c:out value="${historyItem.webHookExecutionStats.statusReason}"/></td>
 	   				</tr>
 	        	
 	        </c:forEach>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookInclude.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookInclude.jsp
index 0f5afdda..f6555787 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookInclude.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookInclude.jsp
@@ -2,7 +2,6 @@
         var ProjectBuilds = ${projectWebHooksAsJson};
         </script>
 
-	    <!-- <p><label for="webHookEnabled" style="width:30em;"><input id="webHookEnabled" type="checkbox" ${webHooksEnabledAsChecked}/> Process WebHooks for this project</label></p>-->
 	    <br/>
 	    <table id="webHookTable" class="settings">
 	   		<thead>
@@ -99,7 +98,7 @@
 																	<td style="padding:0; margin:0; left: 0px;"><label style='white-space:nowrap;'>
 																		<select id="payloadFormatHolder" name="payloadFormatHolder" class="templateAjaxRefresh">
 																		    <c:forEach items="${formatList}" var="template">
-																				<option value="${template.templateFormatCombinationKey}">${template.description}</option>
+																				<option value="${template.templateFormatCombinationKey}"><c:out value="${template.description}" /></option>
 																			</c:forEach>
 																		</select>
 																	</td></tr>
@@ -227,7 +226,7 @@
 		            
 			</div> <!-- webHookFormContents -->
 
-            <input type="hidden" id="projectExternalId" name="projectExternalId" value="${projectExternalId}"/>
+            <input type="hidden" id="projectExternalId" name="projectExternalId" value="<c:out value="${projectExternalId}"/>"/>
             <input type="hidden" id="webHookId" name="webHookId" value=""/>
             <input type="hidden" id="payloadFormat" name="payloadFormat" value=""/>
             <input type="hidden" id="payloadTemplate" name="payloadTemplate" value=""/>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookProjectSettingsTab.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookProjectSettingsTab.jsp
index 0b60cb25..830a4223 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookProjectSettingsTab.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookProjectSettingsTab.jsp
@@ -11,7 +11,7 @@
 			<table class="highlightable parametersTable">
 				<tr><th class="name" style="width:75%">Project Name</th><th>WebHook Count</th></tr>
 			<c:forEach items="${parentProjectBeans}" var="parent">
-				<tr><td><a href="../webhooks/index.html?projectId=${parent.externalProjectId}">${parent.sensibleProjectName}</a></td><td>${fn:length(parent.webHookList)} webhooks configured</td></tr>
+				<tr><td><a href="../webhooks/index.html?projectId=${parent.externalProjectId}"><c:out value="${parent.sensibleProjectName}"/></a></td><td>${fn:length(parent.webHookList)} webhooks configured</td></tr>
 			</c:forEach>
 			</table>
 			<p><p>
@@ -22,7 +22,7 @@
 				<h3>WebHooks configured for every TeamCity build (_Root project)</h3>
 			</c:when>
 			<c:otherwise>	
-				<h3>WebHooks configured for ${project.fullName}</h3>
+				<h3>WebHooks configured for <c:out value="${project.fullName}"/></h3>
 			</c:otherwise>
 		</c:choose>
 	
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTab.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTab.jsp
index f12060a7..9fa30805 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTab.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTab.jsp
@@ -10,7 +10,7 @@
 				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;" >WebHooks configured for every TeamCity build</h3>
 			</c:when>
 			<c:otherwise>	
-				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for ${project.project.fullName}</h3>
+				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for <c:out value="${project.project.fullName}" /></h3>
 			</c:otherwise>
 		</c:choose>
 	
@@ -27,7 +27,7 @@
 					<div><strong>WARNING: Webhook processing is currently disabled for this project</strong></div>
 				</c:if>
 				<p>There are <strong>${project.projectWebhookCount}</strong> WebHooks configured for all builds in this project. 
-					<a href="./webhooks/index.html?projectId=${project.externalProjectId}">Edit project WebHooks</a>.</p>
+					<a href='./webhooks/index.html?projectId=<c:out value="${project.externalProjectId}"/>'>Edit project WebHooks</a>.</p>
 				<table class="testList dark borderBottom">
 					<thead><tr><th class=name style="background-color: #f5f5f5; color:#333333;">URL</th><th class=name style="background-color: #f5f5f5; color:#333333;">Enabled</th></tr></thead>
 					<tbody>
@@ -41,19 +41,19 @@
 
 			<c:forEach items="${project.buildWebhooks}" var="config">
 
-				<div style='margin-top: 2.5em;'><h3 class="title" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for ${projectName} &gt; ${config.buildName}</h3>
+				<div style='margin-top: 2.5em;'><h3 class="title" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for <c:out value="${projectName}"/> &gt; <c:out value="${config.buildName}"/></h3>
 				
 				<c:if test="${config.hasNoBuildWebHooks}" >
 						<div style='margin-left: 1em; margin-right:1em;'>
 						<p>There are no WebHooks configured for this specific build.</p> 
-						<a href="./webhooks/index.html?buildTypeId=${config.buildExternalId}">Add build WebHooks</a>.
+						<a href='./webhooks/index.html?buildTypeId=<c:out value="${config.buildExternalId}"/>'>Add build WebHooks</a>.
 						</div>
 					</div>
 				</c:if>
 				<c:if test="${config.hasBuildWebHooks}" >
 						<div style='margin-left: 1em; margin-right:1em;'>
 						<p>There are <strong>${config.buildCount}</strong> WebHooks for this specific build. 
-							<a href="./webhooks/index.html?buildTypeId=${config.buildExternalId}">Edit build WebHooks</a>.</p>
+							<a href='./webhooks/index.html?buildTypeId=<c:out value="${config.buildExternalId}"/>'>Edit build WebHooks</a>.</p>
 						<table class="testList dark borderBottom">
 							<thead><tr><th class=name>URL</th><th class=name>Enabled</th></tr></thead>
 							<tbody>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTabWithHistory.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTabWithHistory.jsp
index 26159bde..61cdcc58 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTabWithHistory.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webHookTabWithHistory.jsp
@@ -13,7 +13,7 @@
 				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for every TeamCity build (_Root)</h3>
 			</c:when>
 			<c:otherwise>	
-				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for ${project.project.fullName}</h3>
+				<h3 class="title actionBar" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for <c:out value="${project.project.fullName}" /></h3>
 			</c:otherwise>
 		</c:choose>
 	
@@ -21,7 +21,7 @@
 		<c:if test="${project.projectWebhookCount == 0}" >
 				<div style='margin-left: 1em; margin-right:1em;'>
 				<p>There are no WebHooks configured for this project.</p> 
-				<a href="./webhooks/index.html?projectId=${project.externalProjectId}">Add project WebHooks</a>.
+				<a href="./webhooks/index.html?projectId=<c:out value="${project.externalProjectId}" />">Add project WebHooks</a>.
 				</div>
 		</c:if>
 		<c:if test="${project.projectWebhookCount > 0}" >
@@ -30,7 +30,7 @@
 					<div><strong>WARNING: Webhook processing is currently disabled for this project</strong></div>
 				</c:if>
 				<p>There are <strong>${project.projectWebhookCount}</strong> WebHooks configured for all builds in this project. 
-					<a href="./webhooks/index.html?projectId=${project.externalProjectId}">Edit project WebHooks</a>.</p>
+					<a href="./webhooks/index.html?projectId=<c:out value="${project.externalProjectId}" />">Edit project WebHooks</a>.</p>
 				<table class="testList dark borderBottom">
 					<thead><tr><th class=name style="background-color: #f5f5f5; color:#333333;">URL</th><th class=name style="background-color: #f5f5f5; color:#333333;">Enabled</th></tr></thead>
 					<tbody>
@@ -51,18 +51,18 @@
 
 			<c:forEach items="${project.buildWebhooks}" var="config">
 
-				<div style='margin-top: 2.5em;'><h3 class="title" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for ${projectName} &gt; ${config.buildName}</h3>
+				<div style='margin-top: 2.5em;'><h3 class="title" style="background-color: #f5f5f5; border-bottom: solid 2px #ABB1C4;">WebHooks configured for <c:out value="${projectName}"/> &gt; <c:out value="${config.buildName}"/></h3>
 				
 				<c:if test="${config.hasNoBuildWebHooks}" >
 						<div style='margin-left: 1em; margin-right:1em;'>
 						<p>There are no WebHooks configured for this specific build.</p> 
-						<a href="./webhooks/index.html?buildTypeId=${config.buildExternalId}">Add build WebHooks</a>.
+						<a href="./webhooks/index.html?buildTypeId=<c:out value="${config.buildExternalId}" />">Add build WebHooks</a>.
 						</div>
 				</c:if>
 				<c:if test="${config.hasBuildWebHooks}" >
 						<div style='margin-left: 1em; margin-right:1em;'>
 						<p>There are <strong>${config.buildCount}</strong> WebHooks for this specific build. 
-							<a href="./webhooks/index.html?buildTypeId=${config.buildExternalId}">Edit build WebHooks</a>.</p>
+							<a href="./webhooks/index.html?buildTypeId=<c:out value="${config.buildExternalId}" />">Edit build WebHooks</a>.</p>
 						<table class="testList dark borderBottom">
 							<thead><tr><th class=name style="background-color: #f5f5f5; color:#333333;">URL</th><th class=name style="background-color: #f5f5f5; color:#333333;">Enabled</th></tr></thead>
 							<tbody>
@@ -94,22 +94,22 @@
 	        		<tr>
 					<td>${historyItem.webHookExecutionStats.initTimeStamp}</td>
 					<c:if test="${not empty historyItem.buildId}">
-					    <td><a href="../viewLog.html?buildId=${historyItem.buildId}">${historyItem.buildTypeName} #${historyItem.buildId}</a></td>
+					    <td><a href="../viewLog.html?buildId=<c:out value="${historyItem.buildId}"/>"><c:out value="${historyItem.buildTypeName}"/> #<c:out value="${historyItem.buildId}"/></a></td>
 					</c:if>
 					<c:if test="${empty historyItem.buildId}">
-					    <td><a href="../viewType.html?buildTypeId=${historyItem.buildTypeExternalId}">${historyItem.buildTypeName}</a></td>
+					    <td><a href="../viewType.html?buildTypeId=<c:out value="${historyItem.buildTypeExternalId}"/>"><c:out value="${historyItem.buildTypeName}"/></a></td>
 					</c:if>
 					
 					<c:if test="${afn:permissionGrantedForProjectWithId(historyItem.webHookConfig.projectInternalId, 'EDIT_PROJECT')}">
-						<td><span title="Webhook from project '${historyItem.webHookConfig.projectExternalId}'">${historyItem.webHookExecutionStats.url}</span></td>
+						<td><span title="Webhook from project '<c:out value="${historyItem.webHookConfig.projectExternalId}"/>'"><c:out value="${historyItem.webHookExecutionStats.url}"/></span></td>
 					</c:if>
 					
 					<c:if test="${not afn:permissionGrantedForProjectWithId(historyItem.webHookConfig.projectInternalId, 'EDIT_PROJECT')}">
-						<td><span title="You do not have permission to see the full URL for this webhook (no 'EDIT_PROJECT' permission on '${historyItem.webHookConfig.projectExternalId}')">** ${historyItem.url}</span></td>
+						<td><span title="You do not have permission to see the full URL for this webhook (no 'EDIT_PROJECT' permission on '<c:out value="${historyItem.webHookConfig.projectExternalId}"/>')">** <c:out value="${historyItem.url}"/></span></td>
 					</c:if>
 					
 					<td><c:out value="${historyItem.webHookExecutionStats.buildState.shortDescription}${historyItem.test}">undefined</c:out></td>
-					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: ${historyItem.webHookExecutionStats.statusReason}</td>
+					<td title="x-tcwebhooks-request-id: ${historyItem.webHookExecutionStats.trackingId}">${historyItem.webHookExecutionStats.statusCode} :: <c:out value="${historyItem.webHookExecutionStats.statusReason}"/></td>
 	   				</tr>
 	        	
 	        </c:forEach>
diff --git a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webhookEdit.jsp b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webhookEdit.jsp
index 98df86be..57fce926 100644
--- a/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webhookEdit.jsp
+++ b/tcwebhooks-web-ui/src/main/resources/buildServerResources/WebHook/webhookEdit.jsp
@@ -33,10 +33,10 @@
         BS.Navigation.items = [
 		  {title: "Projects", url: '<c:url value="/overview.html"/>'},
 		  <c:if test="${haveProject}"> 
-		  	{title: "${projectName}", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
+		  	{title: "<c:out value="${projectName}"/>", url: '<c:url value="/project.html?projectId=${projectExternalId}"/>'},
 		  </c:if>
 		  <c:if test="${haveBuild}"> 
-		  	{title: "${buildName}", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
+		  	{title: "<c:out value="${buildName}"/>", url: '<c:url value="/viewType.html?buildTypeId=${buildExternalId}"/>'},
 		  </c:if>
           {title: "${title}", selected:true}
         ];
@@ -106,7 +106,7 @@
 	
 	function renderPreviewOnChange() {
 		if ($j('#payloadFormatHolder').val()) {
-			$j('#currentTemplateName').html(lookupTemplateName($j('#payloadFormatHolder').val()));
+			$j('#currentTemplateName').html(htmlEscape(lookupTemplateName($j('#payloadFormatHolder').val())));
 		} else {
 			$j('#currentTemplateName').html("&nbsp;");
 		}
@@ -182,11 +182,11 @@
     
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-			    <h2 class="noBorder">WebHooks applicable to build ${buildName}</h2>
+			    <h2 class="noBorder">WebHooks applicable to build <c:out value="${buildName}"/></h2>
 			    To edit all webhooks for builds in the project <a href="index.html?projectId=${projectExternalId}">edit Project webhooks</a>.
          	</c:when>  
          	<c:otherwise>  
-			    <h2 class="noBorder">WebHooks configured for project ${projectName}</h2>
+			    <h2 class="noBorder">WebHooks configured for project <c:out value="${projectName}"/></h2>
          	</c:otherwise>  
 		</c:choose>  
 
@@ -262,10 +262,10 @@
 	        $('systemParams').updateContainer = function() {
         <c:choose>  
     		<c:when test="${haveBuild}"> 
-	          	$j.get("settingsList.html?buildTypeId=${buildExternalId}", function(data) {
+	          	$j.get("settingsList.html?buildTypeId=<c:out value="${buildExternalId}"/>", function(data) {
          	</c:when>  
          	<c:otherwise>  
-	          	$j.get("settingsList.html?projectId=${projectId}", function(data) {
+	          	$j.get("settingsList.html?projectId=<c:out value="${projectId}"/>", function(data) {
          	</c:otherwise>  
 		</c:choose>  	        
 	          		ProjectBuilds = data;