In verifying the effect of XSS prevention, we noticed that Clover plugin uses HTML in the display name. This used to render the HTML as expected, but as we tighten up core for XSS prevention, this is now showing up in an "incorrect" way.
We normally avoid breaking plugns, but in this case, I'm thinking that this behavior is justified for several reasons:
- Display name is supposed to return a human readable name and not HTML. Display name should be usable in IRC bot messages, e-mail contents, etc. So arguably this is in violation of the method contract.
- Some display names do come from user-entered text (such as job names, build names), and in that context, to prevent XSS this escaping is needed. If we are to make the current clover plugin work with this regard, we need to handle displayName differently based on context, which is confusing.
- This only creates a page rendering problem, and does not affect the functionality of the software, so the annoyance is liveable. And fixing this doesn't preclude newer Clover plugins from running correctly in old environments.
But with that said, I'd be happy to hear other perspectives.