Skip to content

Commit

Permalink
[JENKINS-73907] Fix double-escaped tooltips in "Help for feature" (je…
Browse files Browse the repository at this point in the history
…nkinsci#10000)

Co-authored-by: Daniel Beck <[email protected]>
(cherry picked from commit f91ebb4)
  • Loading branch information
ridemountainpig authored and krisstern committed Dec 10, 2024
1 parent dac61d8 commit 2e90e86
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion core/src/main/resources/lib/form/helpLink.jelly
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ THE SOFTWARE.
</st:documentation>
<j:choose>
<j:when test="${attrs.url!=null}">
<j:set var="altText" value="${attrs.featureName != null ? '%Help for feature:' + ' ' + h.escape(attrs.featureName) : '%Help'}" />
<j:set var="altText" value="${attrs.featureName != null ? '%Help for feature:' + ' ' + attrs.featureName : '%Help'}" />
<a href="#" class="jenkins-help-button" tooltip="${altText}" helpURL="${rootURL}${attrs.url}">
<!-- .jenkins-help-button span element is required as it's restyled in CSS -->
<span>?</span>
Expand Down
2 changes: 1 addition & 1 deletion test/src/test/java/jenkins/security/Security2779Test.java
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ private void noCrossSiteScriptingInHelp(String selector) throws Exception {

// assert leading space to identify unintentional double-escaping (&amp;lt;) as test failure
assertThat("tooltip does not contain dangerous HTML", jsResultString, not(containsString(" <img src=x")));
assertThat("tooltip contains safe text", jsResultString, containsString("lt;img src=x"));
assertThat("tooltip contains safe text", jsResultString, containsString(" &lt;img src=x"));
}

@TestExtension
Expand Down

0 comments on commit 2e90e86

Please sign in to comment.