Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74588

[hp-operations-orchestration-automation-execution-plugin] Extract inline script blocks, extract inline event handler, and migrate legacy checkUrl attributes in WEB-INF/classes/com/hp/mercury/ci/jenkins/plugins/OOBuildStep/global.jelly

XMLWordPrintable

      Problems

      == Inline Script Block
Line: 23
----
<script language="javascript">



    /*
    from: http://stackoverflow.com/questions/868407/hide-an-elements-next-sibling-with-javascript
       Credit to John Resig for this function
       taken from Pro JavaScript techniques
    */
    function next(elem) {
        do {
        	elem = elem.nextSibling;
        } while (elem && elem.nodeType != 1);
        return elem;
    }

  function validateUrl(str) {

          //return URI_FORMAT_REGEX.test(str);

        //var pattern = new RegExp("/^(ht|f)tps?:\/\/[a-z0-9-\.]+\.[a-z]{2,4}\/?([^\s<>\#%"\,\{\}\\|\\\^\[\]`]+)?$/");
        var pattern = new RegExp("^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-‌​\.\?\,\'\/\\\+&amp;%\$#_]*)?$");

        return str.match(pattern);
  }

  function validateUserInput(element) {

    var errorHolder = next(element);

    while (errorHolder.hasChildNodes()) {
        errorHolder.removeChild(errorHolder.lastChild);
    }

    if (!validateUrl(element.value)) {
        var errorMessage = document.createTextNode('warning: ' + element.value + ' is not a valid URL.');
        errorHolder.appendChild(errorMessage);
    }
  }

    </script>
----

== Inline Script Block
Line: 125
----
<script language="JavaScript" type="text/javascript">

        var inputs = document.getElementsByTagName("input");
        var i;
        for (i = 0 ; i < inputs.length ; i++) {
            var userInput = inputs[i];
            if (userInput.name && (userInput.name.indexOf("hostUrl")!= -1)) {
                validateUserInput(userInput);
            }
        }

      </script>
----

== Legacy checkUrl
Line: 86
----
checkUrl="'descriptorByName/OOBuildStep/checkKeystorePath?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 90
----
checkUrl="'descriptorByName/OOBuildStep/checkKeystorePassword?value='+escape(this.value)+'&amp;path='+escape(document.getElementById('oo.keystore.path').value)"
----

== Inline Event Handler
Line: 102
----
<f:textbox value="${ooServer.getUrl()}" onchange="validateUserInput(this);" onkeyup="validateUserInput(this);"/>
----

      Solutions

      https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks
      https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers
      https://www.jenkins.io/doc/developer/security/csp/#legacy-javascript-checkurl-validation

            Unassigned Unassigned
            basil Basil Crow
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: