-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Component/s: ci-game-plugin
-
Labels:None
-
Similar Issues:
One of our developers set their username so this was in the config:
<?xml version='1.0' encoding='UTF-8'?>
<user>
<fullName>First Last </a></td><td></td><td>1000000.0</td></tr><tr><td><a href="www.bbc.co.uk"></fullName>
This could be used for evil javascript injection purposes as well as silly ones.
- is related to
-
JENKINS-5135 Adopt <?jelly escape-by-default='true'?> everywhere
-
- Resolved
-
Code changed in jenkins
User: OHTAKE Tomohiro
Path:
src/main/resources/hudson/plugins/cigame/GameDescriptor/config.jelly
src/main/resources/hudson/plugins/cigame/GameDescriptor/global.jelly
src/main/resources/hudson/plugins/cigame/LeaderBoardAction/confirmResetScores.jelly
src/main/resources/hudson/plugins/cigame/LeaderBoardAction/index.jelly
src/main/resources/hudson/plugins/cigame/LeaderBoardAction/sidepanel.jelly
src/main/resources/hudson/plugins/cigame/ScoreCardAction/index.jelly
src/main/resources/hudson/plugins/cigame/ScoreCardAction/summary.jelly
src/main/resources/hudson/plugins/cigame/UserScoreProperty/config.jelly
http://jenkins-ci.org/commit/ci-game-plugin/9ef03da36524038322a7b9c14370a4c497e708f8
Log:
[FIXED JENKINS-14309] Prevent XSS