[SECURITY-2760]

Author: rsandell

src/main/resources/hudson/tasks/junit/CaseResult/list.jelly

@@ -47,7 +47,7 @@ THE SOFTWARE.
                 <st:include it="${badge}" page="badge.jelly" optional="true"/>
               </j:forEach>
             </td>
-            <td class="pane" style="text-align:left"><j:out value="${test.description}"/></td>
+            <td class="pane" style="text-align:left"><j:out value="${app.markupFormatter.translate(test.description)}"/></td>
             <td class="pane no-wrap" style="text-align:left" data="${test.duration}">${test.durationString}</td>
             <td class="pane">
               <j:set var="pst" value="${test.status}" />

src/main/resources/hudson/tasks/junit/ClassResult/list.jelly

@@ -46,7 +46,7 @@ THE SOFTWARE.
                 <st:include it="${badge}" page="badge.jelly" optional="true"/>
               </j:forEach>
             </td>
-            <td class="pane" style="text-align:right"><j:out value="${p.description}"/></td>
+            <td class="pane" style="text-align:right"><j:out value="${app.markupFormatter.translate(p.description)}"/></td>
             <td class="pane no-wrap" style="text-align:right" data="${p.duration}">${p.durationString}</td>
             <td class="pane" style="text-align:right">${p.failCount}</td>
             <td class="pane" style="text-align:right">${p.skipCount}</td>

src/main/resources/hudson/tasks/junit/History/index.jelly

@@ -96,7 +96,7 @@ THE SOFTWARE.
                   <a href="${app.rootUrl}${item.url}">${item.fullDisplayName}</a>
                 </td>
                 <j:if test="${historySummary.descriptionAvailable}">
-                  <td class="pane" style="text-align:right"><j:out value="${item.description}"/></td>
+                  <td class="pane" style="text-align:right"><j:out value="${app.markupFormatter.translate(item.description)}"/></td>
                 </j:if>
                 <td class="pane no-wrap" style="text-align:right" data="${item.duration}">${item.durationString}</td>
                 <td class="pane" style="text-align:right">${item.failCount}</td>

src/main/resources/hudson/tasks/test/MetaTabulatedResult/list.jelly

@@ -46,7 +46,7 @@ THE SOFTWARE.
                 <st:include it="${badge}" page="badge.jelly" optional="true"/>
               </j:forEach>
             </td>
-            <td class="pane" style="text-align:right"><j:out value="${p.description}"/></td>
+            <td class="pane" style="text-align:right"><j:out value="${app.markupFormatter.translate(p.description)}"/></td>
             <td class="pane no-wrap" style="text-align:right" data="${p.duration}">${p.durationString}</td>
             <td class="pane" style="text-align:right">${p.failCount}</td>
             <td class="pane" style="text-align:right">${p.skipCount}</td>

src/test/java/hudson/tasks/junit/HistoryTest.java

@@ -23,20 +23,28 @@
  */
 package hudson.tasks.junit;
 
+import com.gargoylesoftware.htmlunit.AlertHandler;
+import com.gargoylesoftware.htmlunit.Page;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlTable;
+import com.gargoylesoftware.htmlunit.html.HtmlTableCell;
 import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
 import hudson.model.Project;
 import hudson.model.Result;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.recipes.LocalData;
 
 import java.util.List;
+import java.util.Optional;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 public class HistoryTest {
@@ -113,4 +121,44 @@ public void testFailedSince() throws Exception {
         assertTrue("eleanor failed", !eleanorCase.isPassed());
         assertEquals("eleanor has failed since build 3", 3, eleanorCase.getFailedSince()); 
     }
+
+    @LocalData
+    @Test @Issue("SECURITY-2760")
+    public void testXSS() throws Exception {
+        assertNotNull("project should exist", project);
+
+        FreeStyleBuild build4 = project.getBuildByNumber(4);
+        TestResult tr = build4.getAction(TestResultAction.class).getResult();
+
+        tr.setDescription("<script>alert(\"<XSS>\")</script>");
+        build4.save(); //Might be unnecessary
+
+        try (final JenkinsRule.WebClient webClient = rule.createWebClient()) {
+            Alerter alerter = new Alerter();
+            webClient.setJavaScriptEnabled(true);
+            webClient.getOptions().setThrowExceptionOnScriptError(false); //HtmlUnit finds a syntax error in bootstrap 5
+            webClient.setAlertHandler(alerter); //This catches any alert dialog popup
+
+            final HtmlPage page = webClient.getPage(build4, "testReport/history/");
+            assertNull(alerter.message); //No alert dialog popped up
+            assertNull(alerter.page);
+            final HtmlTable table = (HtmlTable) page.getElementById("testresult");
+            final Optional<HtmlTableCell> descr = table.getRows().stream().flatMap(row -> row.getCells().stream())
+                    .filter(cell -> cell.getTextContent().equals("<script>alert(\"<XSS>\")</script>")) //cell.getTextContent() seems to translate back from &gt; to < etc.
+                    .findFirst();
+            assertTrue("Should have found the description", descr.isPresent());
+        }
+    }
+
+    static class Alerter implements AlertHandler {
+
+        Page page = null;
+        String message = null;
+
+        @Override
+        public void handleAlert(final Page page, final String message) {
+            this.page = page;
+            this.message = message;
+        }
+    }
 }