SECURITY-2755

Author: madsjakobsen

pom.xml

@@ -1,32 +1,38 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-	
+
 	<modelVersion>4.0.0</modelVersion>
-	
 	<parent>
 		<groupId>org.jenkins-ci.plugins</groupId>
 		<artifactId>plugin</artifactId>
-		<version>1.541</version>
-	</parent>
+		<version>4.10</version>
+		<relativePath />
+	  </parent>
+
+	<properties>
+		<jenkins.version>2.222.1</jenkins.version>
+		<java.level>8</java.level>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+	</properties>
 
 	<artifactId>hidden-parameter</artifactId>
-	<packaging>hpi</packaging>	
+	<packaging>hpi</packaging>
 	<version>0.0.5-SNAPSHOT</version>
 	<name>Hidden Parameter plugin</name>
     <url>http://wiki.jenkins-ci.org/display/JENKINS/Hidden+Parameter+Plugin</url>
-    
+
 	<organization>
 		<name>wangyin</name>
 		<url>www.wangyin.com</url>
 	</organization>
-	
+
 	 <developers>
       <developer>
           <id>wy-scm</id>
           <name>wy-scm</name>
       </developer>
     </developers>
 
-
 	<build>
 		<plugins>
 			<plugin>
@@ -45,12 +51,12 @@
 			</plugin>
 		</plugins>
 	</build>
-	
+
 	<scm>
         <connection>scm:git:git://github.com/jenkinsci/hidden-parameter-plugin.git</connection>
         <developerConnection>scm:git:[email protected]:jenkinsci/hidden-parameter-plugin.git</developerConnection>
     </scm>
-	
+
 	<repositories>
 		<repository>
 			<id>repo.jenkins-ci.org</id>
@@ -64,9 +70,5 @@
 			<url>https://repo.jenkins-ci.org/public/</url>
 		</pluginRepository>
 	</pluginRepositories>
-	
-	<properties>
-      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-      <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    </properties>
+
 </project>

src/main/java/com/wangyin/parameter/WHideParameterDefinition.java

@@ -11,8 +11,8 @@
 import org.kohsuke.stapler.StaplerRequest;
 
 /**
- * @author wy-scm <[email protected]>
- * 
+ * @author wy-scm [email protected]
+ *
  */
 public class WHideParameterDefinition extends ParameterDefinition {
 
@@ -26,13 +26,13 @@ public String getDefaultValue() {
 	public void setDefaultValue(String defaultValue) {
 		this.defaultValue = defaultValue;
 	}
- 
+
     @DataBoundConstructor
 	public WHideParameterDefinition(String name,String defaultValue, String description) {
 		super(name, description);
 		this.defaultValue = defaultValue;
 	}
- 
+
     @Extension
 	public static class DescriptorImpl extends ParameterDescriptor {
         @Override
@@ -57,7 +57,7 @@ public ParameterValue createValue(StaplerRequest req) {
             throw new IllegalArgumentException("Illegal number of parameter values for " + getName() + ": " + value.length);
         } else {
             return new WHideParameterValue(getName(), value[0], getDescription());
-        } 
+        }
 	}
 
 
@@ -67,10 +67,7 @@ public ParameterValue createValue(StaplerRequest req, JSONObject jo) {
 		return value;
 	}
 
-	/**
-	 * @param args
-	 */
-	public static void main(String[] args) { 
+	public static void main(String[] args) {
 
 	}
 

src/main/java/com/wangyin/parameter/WHideParameterValue.java

@@ -1,6 +1,6 @@
 // Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
 // Jad home page: http://www.kpdus.com/jad.html
-// Decompiler options: packimports(3) 
+// Decompiler options: packimports(3)
 // Source File Name:   StringParameterValue.java
 
 package com.wangyin.parameter;
@@ -10,10 +10,10 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 
 /**
-* @author wy-scm <[email protected]>
+* @author wy-scm [email protected]
 */
 public class WHideParameterValue extends StringParameterValue {
-	
+
 	private static final long serialVersionUID = 6926027508686211675L;
 
 	@DataBoundConstructor
@@ -29,4 +29,4 @@ public WHideParameterValue(String name, String value, String description) {
     public String toString() {
         return "(HiddenParameterValue) " + getName() + "='" + value + "'";
     }
-}
+}

src/main/resources/com/wangyin/parameter/WHideParameterDefinition/config.jelly

@@ -1,9 +1,9 @@
-  <!-- This jelly script is used for per-project configuration. See global.jelly 
+  <!-- This jelly script is used for per-project configuration. See global.jelly
 	for a general discussion about jelly script. -->
 
-<!-- Creates a text field that shows the value of the "name" property. When 
+<!-- Creates a text field that shows the value of the "name" property. When
 	submitted, it will be passed to the corresponding constructor parameter. -->
-
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">

src/main/resources/com/wangyin/parameter/WHideParameterDefinition/index.jelly

@@ -1,3 +1,4 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">

src/main/resources/com/wangyin/parameter/WHideParameterValue/value.jelly

@@ -1,7 +1,9 @@
+<?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
-    <f:entry title="${it.name}" description="${it.description}">
+	<j:set var="escapeEntryTitleAndDescription" value="false"/>
+	<f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
 		<f:textbox name="value" value="${it.value}" readonly="true" />
     </f:entry>
 </j:jelly>