• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Fedora 17, Tomcat 6.0.35, Java 7, Latest Jenkins and plugins as of today

      On most pages, like these:

      https://ci.jenkins-ci.org/job/jenkins_rc_branch/changes
      https://ci.jenkins-ci.org/user/kohsuke/

      When the username is something like "Joe User <joe.user@example.com>", it is incorrectly escaped in the HTML as:

      Joe User &lt;joe.user@example.com>

      Then on the changes page for a specific build:

      https://ci.jenkins-ci.org/job/jenkins_rc_branch/300/changes

      A username like the above wouldn't be escaped at all, so would be "Joe User <joe.user@example.com>" in the HTML.

      Of course the proper way to escape this would be:

      Joe User &lt;joe.user@example.com&gt;

      We are using the mercurial plugin with rhodecode as the mercurial server, and I'm not sure if it's the job of the SCM plugin to escape these or whatever outputs the HTML, though I would think the latter.

          [JENKINS-16184] emails not escaped properly

          Travis Burtrum created issue -

          Travis Burtrum added a comment - - edited

          @Edit: Use code tags so the HTML entities show up correctly.

          Travis Burtrum added a comment - - edited @Edit: Use code tags so the HTML entities show up correctly.
          Travis Burtrum made changes -
          Description Original: On most pages, like these:

          https://ci.jenkins-ci.org/job/jenkins_rc_branch/changes
          https://ci.jenkins-ci.org/user/kohsuke/

          When the username is something like "Joe User <joe.user@example.com>", it is incorrectly escaped in the HTML as: "Joe User &lt;joe.user@example.com>"

          Then on the changes page for a specific build:

          https://ci.jenkins-ci.org/job/jenkins_rc_branch/300/changes

          A username like the above wouldn't be escaped at all, so would be "Joe User <joe.user@example.com>" in the HTML.

          We are using the mercurial plugin with rhodecode as the mercurial server, and I'm not sure if it's the job of the SCM plugin to escape these or whatever outputs the HTML, though I would think the latter.
          New: On most pages, like these:

          https://ci.jenkins-ci.org/job/jenkins_rc_branch/changes
          https://ci.jenkins-ci.org/user/kohsuke/

          When the username is something like "Joe User <joe.user@example.com>", it is incorrectly escaped in the HTML as: {code:xml}Joe User &lt;joe.user@example.com>{code}

          Then on the changes page for a specific build:

          https://ci.jenkins-ci.org/job/jenkins_rc_branch/300/changes

          A username like the above wouldn't be escaped at all, so would be "Joe User <joe.user@example.com>" in the HTML.

          Of course the proper way to escape this would be:
          {code:xml}Joe User &lt;joe.user@example.com&gt;{code}

          We are using the mercurial plugin with rhodecode as the mercurial server, and I'm not sure if it's the job of the SCM plugin to escape these or whatever outputs the HTML, though I would think the latter.

          Jesse Glick added a comment -

          Probably the RhodeCode support in the Mercurial plugin; each kind of repo browser has its own page output strategy. Pull requests welcome since I do not have access to a sample RhodeCode server to test against (that I know of).

          Jesse Glick added a comment - Probably the RhodeCode support in the Mercurial plugin; each kind of repo browser has its own page output strategy. Pull requests welcome since I do not have access to a sample RhodeCode server to test against (that I know of).

          Just for reference, there is a demo rhodecode that anyone can use set up here:
          http://demo.rhodecode.org/
          and one used in production here:
          https://secure.rhodecode.org/

          Thanks for the pointer in the right direction, I might have a look at the mercurial plugin and see what I can do.

          Lastly, shouldn't the User page, at least, be independent of any plugins? I'd think that should escape everything itself, I could be wrong though.

          Travis Burtrum added a comment - Just for reference, there is a demo rhodecode that anyone can use set up here: http://demo.rhodecode.org/ and one used in production here: https://secure.rhodecode.org/ Thanks for the pointer in the right direction, I might have a look at the mercurial plugin and see what I can do. Lastly, shouldn't the User page, at least, be independent of any plugins? I'd think that should escape everything itself, I could be wrong though.
          Jenkins IRC Bot made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: www [ 15484 ]

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/Util.java
          core/src/test/java/hudson/FunctionsTest.java
          core/src/test/java/hudson/MarkupTextTest.java
          core/src/test/java/hudson/UtilTest.java
          core/src/test/java/hudson/console/UrlAnnotatorTest.java
          http://jenkins-ci.org/commit/jenkins/daacb02057cd702900f986a0a6867730ece13014
          Log:
          JENKINS-16184 Also escape greater-than character

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/Util.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/console/UrlAnnotatorTest.java http://jenkins-ci.org/commit/jenkins/daacb02057cd702900f986a0a6867730ece13014 Log: JENKINS-16184 Also escape greater-than character

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/java/hudson/Util.java
          core/src/test/java/hudson/FunctionsTest.java
          core/src/test/java/hudson/MarkupTextTest.java
          core/src/test/java/hudson/UtilTest.java
          core/src/test/java/hudson/console/UrlAnnotatorTest.java
          http://jenkins-ci.org/commit/jenkins/d158334f3b3dbed35d9f0ef042215dbf2076fc74
          Log:
          Merge pull request #1420 from daniel-beck/JENKINS-16184

          JENKINS-16184 Also escape greater-than character

          Compare: https://github.com/jenkinsci/jenkins/compare/aac8c239721e...d158334f3b3d

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/hudson/Util.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/console/UrlAnnotatorTest.java http://jenkins-ci.org/commit/jenkins/d158334f3b3dbed35d9f0ef042215dbf2076fc74 Log: Merge pull request #1420 from daniel-beck/ JENKINS-16184 JENKINS-16184 Also escape greater-than character Compare: https://github.com/jenkinsci/jenkins/compare/aac8c239721e...d158334f3b3d

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3733
          JENKINS-16184 Also escape greater-than character (Revision daacb02057cd702900f986a0a6867730ece13014)

          Result = SUCCESS
          daniel-beck : daacb02057cd702900f986a0a6867730ece13014
          Files :

          • core/src/test/java/hudson/UtilTest.java
          • core/src/test/java/hudson/FunctionsTest.java
          • core/src/test/java/hudson/MarkupTextTest.java
          • core/src/main/java/hudson/Util.java
          • core/src/test/java/hudson/console/UrlAnnotatorTest.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3733 JENKINS-16184 Also escape greater-than character (Revision daacb02057cd702900f986a0a6867730ece13014) Result = SUCCESS daniel-beck : daacb02057cd702900f986a0a6867730ece13014 Files : core/src/test/java/hudson/UtilTest.java core/src/test/java/hudson/FunctionsTest.java core/src/test/java/hudson/MarkupTextTest.java core/src/main/java/hudson/Util.java core/src/test/java/hudson/console/UrlAnnotatorTest.java

          Daniel Beck added a comment -

          A change related to this will be in Jenkins 1.586, so confirmation this resolves the issue would be great.

          Daniel Beck added a comment - A change related to this will be in Jenkins 1.586, so confirmation this resolves the issue would be great.

            danielbeck Daniel Beck
            moparisthebest Travis Burtrum
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: