[SECURITY-906]

Author: bakito

pom.xml

@@ -112,6 +112,11 @@
             <version>1.39</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>antisamy-markup-formatter</artifactId>
+            <version>1.5</version>
+        </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-cps</artifactId>

src/main/java/com/jenkinsci/plugins/badge/action/BadgeSummaryAction.java

@@ -23,14 +23,21 @@
  */
 package com.jenkinsci.plugins.badge.action;
 
+import hudson.markup.RawHtmlMarkupFormatter;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.Whitelisted;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
 
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+
 @ExportedBean(defaultVisibility = 2)
 public class BadgeSummaryAction extends AbstractAction {
   private static final long serialVersionUID = 1L;
+  private static final Logger LOGGER = Logger.getLogger(BadgeSummaryAction.class.getName());
 
   private final String iconPath;
   private String summaryText = "";
@@ -57,9 +64,18 @@ public String getIconPath() {
     return iconPath;
   }
 
+  public String getRawText() {
+    return summaryText;
+  }
+
   @Exported
   public String getText() {
-    return summaryText;
+    try {
+      return new RawHtmlMarkupFormatter(false).translate(summaryText);
+    } catch (IOException e) {
+      LOGGER.log(Level.WARNING, "Error preparing summary text for ui", e);
+      return "<b><font color=\"red\">ERROR</font></b>";
+    }
   }
 
   @Whitelisted

src/main/java/com/jenkinsci/plugins/badge/action/HtmlBadgeAction.java

@@ -23,12 +23,19 @@
  */
 package com.jenkinsci.plugins.badge.action;
 
+import hudson.markup.RawHtmlMarkupFormatter;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
 
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
 @ExportedBean(defaultVisibility = 2)
 public class HtmlBadgeAction extends AbstractBadgeAction {
   private static final long serialVersionUID = 1L;
+  private static final Logger LOGGER = Logger.getLogger(BadgeSummaryAction.class.getName());
+
   private final String html;
 
   private HtmlBadgeAction(String html) {
@@ -52,9 +59,17 @@ public String getIconFileName() {
     return null;
   }
 
-  @Exported
-  public String getHtml() {
+  public String getRawHtml() {
     return html;
   }
 
+  @Exported
+  public String getHtml() {
+    try {
+      return new RawHtmlMarkupFormatter(false).translate(html);
+    } catch (IOException e) {
+      LOGGER.log(Level.WARNING, "Error preparing html content for ui", e);
+      return "<b><font color=\"red\">ERROR</font></b>";
+    }
+  }
 }

src/test/java/com/jenkinsci/plugins/badge/dsl/AddHtmlBadgeStepTest.java

@@ -40,6 +40,18 @@ public class AddHtmlBadgeStepTest extends AbstractBadgeTest {
   @Test
   public void addHtmlBadge() throws Exception {
     String html = UUID.randomUUID().toString();
+    testAddHtmlBadge(html, html);
+  }
+
+  @Test
+  public void addHtmlBadge_remove_script() throws Exception {
+    String uuid = UUID.randomUUID().toString();
+    String html = uuid + "<script>alert('exploit!');</script>";
+    testAddHtmlBadge(html, uuid);
+  }
+
+
+  private void testAddHtmlBadge(String html, String expected) throws Exception {
     WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
 
     String script = "addHtmlBadge(\"" + html + "\")";
@@ -51,6 +63,7 @@ public void addHtmlBadge() throws Exception {
     assertEquals(1, badgeActions.size());
 
     HtmlBadgeAction action = (HtmlBadgeAction) badgeActions.get(0);
-    assertEquals(html, action.getHtml());
+    assertEquals(expected, action.getHtml());
+    assertEquals(html, action.getRawHtml());
   }
 }

src/test/java/com/jenkinsci/plugins/badge/dsl/CreateSummaryStepTest.java

@@ -51,6 +51,15 @@ public void createSummary_html_unescaped() throws Exception {
     assertEquals("<li>" + text + "</li>", action.getText());
   }
 
+  @Test
+  public void createSummary_html_unescaped_remove_script() throws Exception {
+    String text = randomUUID().toString();
+    String html = "<li>" + text + "</li><script>alert(\"exploit!\");</script>";
+    BadgeSummaryAction action = createSummary("summary.appendText('" + html + "', false);");
+    assertEquals("<li>" + text + "</li>", action.getText());
+    assertEquals(html, action.getRawText());
+  }
+
   @Test
   public void createSummary_html_escaped() throws Exception {
     String text = randomUUID().toString();
@@ -85,7 +94,7 @@ public void createSummary_with_text() throws Exception {
     String text = randomUUID().toString();
 
     WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
-    p.setDefinition(new CpsFlowDefinition("def summary = createSummary(icon:\"" + icon + "\", text:\""+text+"\")", true));
+    p.setDefinition(new CpsFlowDefinition("def summary = createSummary(icon:\"" + icon + "\", text:\"" + text + "\")", true));
     WorkflowRun b = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
     List<BadgeSummaryAction> summaryActions = b.getActions(BadgeSummaryAction.class);
     assertEquals(1, summaryActions.size());