• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Fedora 17, Tomcat 6.0.35, Java 7, Latest Jenkins and plugins as of today

      On most pages, like these:

      https://ci.jenkins-ci.org/job/jenkins_rc_branch/changes
      https://ci.jenkins-ci.org/user/kohsuke/

      When the username is something like "Joe User <joe.user@example.com>", it is incorrectly escaped in the HTML as:

      Joe User &lt;joe.user@example.com>

      Then on the changes page for a specific build:

      https://ci.jenkins-ci.org/job/jenkins_rc_branch/300/changes

      A username like the above wouldn't be escaped at all, so would be "Joe User <joe.user@example.com>" in the HTML.

      Of course the proper way to escape this would be:

      Joe User &lt;joe.user@example.com&gt;

      We are using the mercurial plugin with rhodecode as the mercurial server, and I'm not sure if it's the job of the SCM plugin to escape these or whatever outputs the HTML, though I would think the latter.

          [JENKINS-16184] emails not escaped properly

          Travis Burtrum added a comment - - edited

          @Edit: Use code tags so the HTML entities show up correctly.

          Travis Burtrum added a comment - - edited @Edit: Use code tags so the HTML entities show up correctly.

          Jesse Glick added a comment -

          Probably the RhodeCode support in the Mercurial plugin; each kind of repo browser has its own page output strategy. Pull requests welcome since I do not have access to a sample RhodeCode server to test against (that I know of).

          Jesse Glick added a comment - Probably the RhodeCode support in the Mercurial plugin; each kind of repo browser has its own page output strategy. Pull requests welcome since I do not have access to a sample RhodeCode server to test against (that I know of).

          Just for reference, there is a demo rhodecode that anyone can use set up here:
          http://demo.rhodecode.org/
          and one used in production here:
          https://secure.rhodecode.org/

          Thanks for the pointer in the right direction, I might have a look at the mercurial plugin and see what I can do.

          Lastly, shouldn't the User page, at least, be independent of any plugins? I'd think that should escape everything itself, I could be wrong though.

          Travis Burtrum added a comment - Just for reference, there is a demo rhodecode that anyone can use set up here: http://demo.rhodecode.org/ and one used in production here: https://secure.rhodecode.org/ Thanks for the pointer in the right direction, I might have a look at the mercurial plugin and see what I can do. Lastly, shouldn't the User page, at least, be independent of any plugins? I'd think that should escape everything itself, I could be wrong though.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/Util.java
          core/src/test/java/hudson/FunctionsTest.java
          core/src/test/java/hudson/MarkupTextTest.java
          core/src/test/java/hudson/UtilTest.java
          core/src/test/java/hudson/console/UrlAnnotatorTest.java
          http://jenkins-ci.org/commit/jenkins/daacb02057cd702900f986a0a6867730ece13014
          Log:
          JENKINS-16184 Also escape greater-than character

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/Util.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/console/UrlAnnotatorTest.java http://jenkins-ci.org/commit/jenkins/daacb02057cd702900f986a0a6867730ece13014 Log: JENKINS-16184 Also escape greater-than character

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/java/hudson/Util.java
          core/src/test/java/hudson/FunctionsTest.java
          core/src/test/java/hudson/MarkupTextTest.java
          core/src/test/java/hudson/UtilTest.java
          core/src/test/java/hudson/console/UrlAnnotatorTest.java
          http://jenkins-ci.org/commit/jenkins/d158334f3b3dbed35d9f0ef042215dbf2076fc74
          Log:
          Merge pull request #1420 from daniel-beck/JENKINS-16184

          JENKINS-16184 Also escape greater-than character

          Compare: https://github.com/jenkinsci/jenkins/compare/aac8c239721e...d158334f3b3d

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/hudson/Util.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/console/UrlAnnotatorTest.java http://jenkins-ci.org/commit/jenkins/d158334f3b3dbed35d9f0ef042215dbf2076fc74 Log: Merge pull request #1420 from daniel-beck/ JENKINS-16184 JENKINS-16184 Also escape greater-than character Compare: https://github.com/jenkinsci/jenkins/compare/aac8c239721e...d158334f3b3d

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3733
          JENKINS-16184 Also escape greater-than character (Revision daacb02057cd702900f986a0a6867730ece13014)

          Result = SUCCESS
          daniel-beck : daacb02057cd702900f986a0a6867730ece13014
          Files :

          • core/src/test/java/hudson/UtilTest.java
          • core/src/test/java/hudson/FunctionsTest.java
          • core/src/test/java/hudson/MarkupTextTest.java
          • core/src/main/java/hudson/Util.java
          • core/src/test/java/hudson/console/UrlAnnotatorTest.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3733 JENKINS-16184 Also escape greater-than character (Revision daacb02057cd702900f986a0a6867730ece13014) Result = SUCCESS daniel-beck : daacb02057cd702900f986a0a6867730ece13014 Files : core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/main/java/hudson/Util.java core/src/test/java/hudson/console/UrlAnnotatorTest.java

          Daniel Beck added a comment -

          A change related to this will be in Jenkins 1.586, so confirmation this resolves the issue would be great.

          Daniel Beck added a comment - A change related to this will be in Jenkins 1.586, so confirmation this resolves the issue would be great.

          Jesse Glick added a comment -

          Note that escaping > is not mandatory (nor is escaping " or ' in element content); it suffices to escape & and <.

          It sounds like there are two or three distinct issues here. The first was about > in the changes of a job, which is not really a bug (IMO) but which this core change may tighten up, if the Mercurial plugin is using the core function to do escaping, which I think it is. The second was also about > escaping, this time in the user page, certainly in core, which I guess Daniel checked.

          The third is about a lack of escaping in changes of a build, which is certainly a bug and unrelated to the first two; this bug might be in the Rhodecode section of the Mercurial plugin (which I cannot personally test changes to), or in a more generic section of the Mercurial plugin applicable also to e.g. Bitbucket and others, or in core and applicable to any SCM. Most likely it is the second case and a duplicate of JENKINS-5452, already fixed.

          Jesse Glick added a comment - Note that escaping > is not mandatory (nor is escaping " or ' in element content); it suffices to escape & and < . It sounds like there are two or three distinct issues here. The first was about > in the changes of a job, which is not really a bug (IMO) but which this core change may tighten up, if the Mercurial plugin is using the core function to do escaping, which I think it is. The second was also about > escaping, this time in the user page, certainly in core, which I guess Daniel checked. The third is about a lack of escaping in changes of a build, which is certainly a bug and unrelated to the first two; this bug might be in the Rhodecode section of the Mercurial plugin (which I cannot personally test changes to), or in a more generic section of the Mercurial plugin applicable also to e.g. Bitbucket and others, or in core and applicable to any SCM. Most likely it is the second case and a duplicate of JENKINS-5452 , already fixed.

          Jesse Glick added a comment -

          Assuming > is now also escaped, I guess this is fixed.

          Jesse Glick added a comment - Assuming > is now also escaped, I guess this is fixed.

            danielbeck Daniel Beck
            moparisthebest Travis Burtrum
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: