[JENKINS-71726] [JENKINS-71727] remove inline javascript (#8313)

* [JENKINS-71727] remove inline javascript Also JENKINS-71726 * missing id * fix script tag Co-authored-by: Kevin Guerroudj <[email protected]> --------- Co-authored-by: Kevin Guerroudj <[email protected]> Co-authored-by: Mark Waite <[email protected]>
jenkinsci · Nov 20, 2023 · d9cbaa0 · d9cbaa0
1 parent 742e95d
commit d9cbaa0
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 22 deletions.
diff --git a/core/src/main/java/hudson/Util.java b/core/src/main/java/hudson/Util.java
@@ -43,6 +43,7 @@
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.PrintStream;
+import java.io.PrintWriter;
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.Writer;
@@ -108,6 +109,7 @@
 import java.util.regex.Pattern;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import jenkins.model.Jenkins;
 import jenkins.util.MemoryReductionUtil;
 import jenkins.util.SystemProperties;
 import jenkins.util.io.PathRemover;
@@ -1856,6 +1858,20 @@ public static long daysElapsedSince(@NonNull Date date) {
         return t;
     }
 
+    @Restricted(NoExternalUse.class)
+    public static void printRedirect(String contextPath, String redirectUrl, String message, PrintWriter out) {
+        out.printf(
+                "<html><head>" +
+                "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
+                "<script id='redirect' data-redirect-url='%1$s' src='" +
+                contextPath + Jenkins.RESOURCE_PATH +
+                "/scripts/redirect.js'></script>" +
+                "</head>" +
+                "<body style='background-color:white; color:white;'>%n" +
+                "%2$s%n" +
+                "<!--%n", Functions.htmlAttributeEscape(redirectUrl), message);
+    }
+
     public static final FastDateFormat XS_DATETIME_FORMATTER = FastDateFormat.getInstance("yyyy-MM-dd'T'HH:mm:ss'Z'", new SimpleTimeZone(0, "GMT"));
 
     // Note: RFC822 dates must not be localized!

diff --git a/core/src/main/java/hudson/model/Run.java b/core/src/main/java/hudson/model/Run.java
@@ -2665,18 +2665,13 @@ public Object getTarget() {
 
 
     public static class RedirectUp {
-        public void doDynamic(StaplerResponse rsp) throws IOException {
+        public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException {
             // Compromise to handle both browsers (auto-redirect) and programmatic access
             // (want accurate 404 response).. send 404 with javascript to redirect browsers.
             rsp.setStatus(HttpServletResponse.SC_NOT_FOUND);
             rsp.setContentType("text/html;charset=UTF-8");
             PrintWriter out = rsp.getWriter();
-            out.println("<html><head>" +
-                "<meta http-equiv='refresh' content='1;url=..'/>" +
-                "<script>window.location.replace('..');</script>" +
-                "</head>" +
-                "<body style='background-color:white; color:white;'>" +
-                "Not found</body></html>");
+            Util.printRedirect(req.getContextPath(), "..", "Not found", out);
             out.flush();
         }
     }

diff --git a/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java b/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
@@ -26,8 +26,8 @@
 
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Functions;
+import hudson.Util;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
@@ -105,7 +105,7 @@ public void commence(HttpServletRequest req, HttpServletResponse rsp, Authentica
             } catch (IllegalStateException e) {
                 out = rsp.getWriter();
             }
-            printResponse(loginForm, out);
+            Util.printRedirect(req.getContextPath(), loginForm, "Authentication required", out);
 
             if (cause != null)
                 cause.report(out);
@@ -120,17 +120,4 @@ public void commence(HttpServletRequest req, HttpServletResponse rsp, Authentica
             out.close();
         }
     }
-
-    @SuppressFBWarnings(value = "XSS_SERVLET", justification = "Intermediate step for redirecting users to login page.")
-    private void printResponse(String loginForm, PrintWriter out) {
-        out.printf(
-            "<html><head>" +
-            "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
-            "<script>window.location.replace('%1$s');</script>" +
-            "</head>" +
-            "<body style='background-color:white; color:white;'>%n" +
-            "%n%n" +
-            "Authentication required%n" +
-            "<!--%n", loginForm);
-    }
 }
diff --git a/war/src/main/webapp/scripts/redirect.js b/war/src/main/webapp/scripts/redirect.js
@@ -0,0 +1,3 @@
+let scriptTag = document.getElementById("redirect");
+let redirectUrl = scriptTag.dataset.redirectUrl;
+window.location.replace(redirectUrl);